CVE-2024-10549

Name of the Vulnerable Software and Affected Versions h2oai/h2o-3 version 3.46.0.1

Description A denial of service (DoS) attack is possible due to a vulnerability in the "/3/Parse" endpoint. This endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple simultaneous requests, an attacker can exhaust all available threads, leading to a complete denial of service.

Recommendations For version 3.46.0.1, as a temporary workaround, consider restricting access to the "/3/Parse" endpoint until a patch is available. Avoid using the endpoint with user-specified strings that could lead to excessive resource utilization.