CVE-2024-7768

Name of the Vulnerable Software and Affected Versions h2oai/h2o-3 version 3.46.1

Description A vulnerability in the "/3/ImportFiles" endpoint allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, path, which can be recursively set to reference itself, leading the server to repeatedly call its own endpoint and eventually filling up the request queue, leaving the server unable to handle other requests.

Recommendations For version 3.46.1, as a temporary workaround, consider restricting access to the "/3/ImportFiles" endpoint until a patch is available. Avoid using the path parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.