CVE-2024-7765

Name of the Vulnerable Software and Affected Versions h2oai/h2o-3 version 3.46.0.2

Description A denial of service issue occurs when uploading and repeatedly parsing a large GZIP file, causing the server to become unresponsive due to memory exhaustion and a large number of concurrent slow-running jobs. This is caused by the improper handling of highly compressed data, leading to significant data amplification.

Recommendations For version 3.46.0.2, consider restricting the upload and parsing of large GZIP files to prevent memory exhaustion and denial of service. As a temporary workaround, limit the number of concurrent jobs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.