CVE-2025-0782

Name of the Vulnerable Software and Affected Versions h2oai/h2o-3 (affected versions not specified)

Description A vulnerability in the S3 bucket configuration allows public write access to the 'h2o-release' bucket. This could enable an attacker to overwrite any file in the bucket, potentially leading to remote code execution (RCE) on any user who uses the application. An attacker could also modify the documentation to include malicious download links.

Recommendations As a temporary workaround, consider restricting write access to the 'h2o-release' bucket until a proper configuration fix is applied. Avoid using the S3 bucket for downloading binary files such as JARs until the issue is resolved. Restrict access to the bucket's documentation to prevent modification of download links. At the moment, there is no information about a newer version that contains a fix for this vulnerability.