CVE-2024-10550

Name of the Vulnerable Software and Affected Versions h2oai/h2o-3 version 3.46.0.1

Description A denial of service (DoS) attack can be performed by exploiting a vulnerability in the "/3/ParseSetup" endpoint. This endpoint applies a user-specified regular expression to a user-controllable string, which can be exploited by an attacker to cause inefficient regular expression complexity. This leads to the exhaustion of server resources, making the server unresponsive.

Recommendations For h2oai/h2o-3 version 3.46.0.1, consider disabling access to the "/3/ParseSetup" endpoint until a patch is available to prevent potential denial of service attacks. Additionally, restrict the ability for users to specify regular expressions in this endpoint to minimize the risk of exploitation.