micronaut-http-client Infinite Redirect Loop Denial of Service
The Micronaut HTTP client will follow HTTP redirects forever with no limit, so a malicious server can trap a client thread in an infinite loop and cause a denial of service.
The problem
The Netty-based `DefaultHttpClient` in `io.micronaut:micronaut-http-client` followed HTTP 3xx redirect responses without ever counting how many hops it had taken. There was no configurable or hard-coded maximum redirect depth.
Any service that the Micronaut application talks to, including one under attacker control, could return an endless chain of redirect responses. The client thread loops forever, consuming resources and preventing normal request completion. CVSS 7.5 (High), attack vector: Network, no authentication required.
Proof of concept
A working proof-of-concept for this issue in io.micronaut:micronaut-http-client, with the exact payload below.
HTTP/1.1 302 Found
Location: /redirect
Content-Length: 0
The redirect-following logic in `DefaultHttpClient` (lines ~1591 and ~2071 pre-patch) recursively re-issued requests on every 3xx response with no hop counter. The patch introduced a `maxRedirects` check: the client now increments a counter on each redirect and throws `HttpClientException` once the limit is exceeded, breaking the loop.
The vulnerability is CWE-834 (Excessive Iteration). Any endpoint under attacker control that returns `302 Location: /redirect` pointing back to itself is sufficient to trigger it. No special headers or auth are needed, making this a zero-setup network-reachable DoS.
The fix
Upgrade `io.micronaut:micronaut-http-client` to one of the patched releases: 3.10.7 (Micronaut 3), 4.10.24 (Micronaut 4), or 5.0.1 (Micronaut 5). No configuration workaround exists in unpatched versions. Patch commits: c06a271 (3.x), f1dffff (4.x), 6e88a97 (5.x).
Reported by Sergio del Amo (sdelamo).
Related research
- high · 7.5CVE-2026-49485CVE-2026-49485: org.hl7.fhir.dstu2 FHIRPathEngine ReDoS via Unprotected matches()
- high · 8.1CVE-2026-49464CVE-2026-49464: NL Portal Taak IDOR Allows Takeover of Any User's Open Task
- high · 8CVE-2026-49832CVE-2026-49832: DSpace Remote Code Execution via Velocity Template Injection in LDN
- highCVE-2026-34151CVE-2026-34151: XWiki Platform Old Core Path Traversal via /skin/ Endpoint on Jetty 12