CVE-2025-6507

NONE EPSS 95.8%
Published Sep 1, 202510mo ago · Modified Jun 17, 20262w ago
Find Similar
Published Sep 1, 2025 10mo ago
Last Modified Jun 17, 2026 2w ago

Description

A vulnerability in the h2oai/h2o-3 repository allows attackers to exploit deserialization of untrusted data, potentially leading to arbitrary code execution and reading of system files. This issue affects the latest master branch version 3.47.0.99999. The vulnerability arises from the ability to bypass regular expression filters intended to prevent malicious parameter injection in JDBC connections. Attackers can manipulate spaces between parameters to evade detection, allowing for unauthorized file access and code execution. The vulnerability is addressed in version 3.46.0.8.

Threat Intelligence

EPSS Exploit Probability
95.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

References 2

  • github.com https://github.com/h2oai/h2o-3/commit/f714edd6b8429c7a7211b779b6ec108a95b7382d
  • huntr.com https://huntr.com/bounties/0a9d527a-2d39-4bc0-bf01-1e717587f077

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.