CRITICAL🇵🇱 Wersja polska

CVE-2025-6544

CVSS 9.8v3.0pub. 2025-09-21upd. 2025-10-08

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of JDBC connection parameters, where input data is validated using regular expressions (regex). An attacker can bypass these security measures by using double URL encoding, which allows malicious parameters to be smuggled through. The crafted data then reaches the deserialization process (CWE-502), where untrusted data is processed without proper validation, leading to arbitrary code execution on the server side.

Impact

An attacker can gain full control over the server: execute arbitrary code (RCE), read sensitive system files, and consequently compromise or destroy processed data and the H2O environment.

Mitigation & patch

H2O should be updated as soon as possible to a version containing the fix indicated in the vendor's references (commit 0298ee348f5c73673b7b542158081e79605f5f25 in the GitHub repository). Until the patch is deployed, network access to H2O instances should be restricted to trusted hosts only, and the ability to configure JDBC connections by untrusted users should be blocked.

Who is affected

H2O (h2o-3) in all versions up to and including 3.46.0.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • H2o

    APP
    H2O
    3.0.0.2 – 3.46.0.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-3960CRITICAL9.8PL ✓ten sam produkt

RCE przez obejście blacklisty JDBC w REST API H2O-3

CVE-2024-10553CRITICAL9.8PL ✓ten sam produkt

RCE poprzez deserializację w REST API h2oai/h2o-3 (JDBC URL)

CVE-2024-45758CRITICAL9.1PL ✓ten sam produkt

H2O.ai H2O — RCE i odczyt plików przez niekontrolowany JDBC URL

CVE-2023-6016CRITICAL9.8ten sam produkt

An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO mode...

CVE-2024-10550HIGH7.5ten sam produkt

A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service...