PT-2025-38661 · H2O.Ai · H2O-3
Published
2025-06-23
·
Updated
2026-05-22
·
CVE-2025-6544
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
h2oai/h2o-3 versions 3.46.0.8 and earlier
Description
A deserialization issue exists in h2oai/h2o-3 versions 3.46.0.8 and earlier, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability is due to improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
H2O-3