CVE-2025-6507
NONE EPSS 95.8%
Published Sep 1, 202510mo ago · Modified Jun 17, 20262w ago
Published Sep 1, 2025 10mo ago
Last Modified Jun 17, 2026 2w ago
Description
A vulnerability in the h2oai/h2o-3 repository allows attackers to exploit deserialization of untrusted data, potentially leading to arbitrary code execution and reading of system files. This issue affects the latest master branch version 3.47.0.99999. The vulnerability arises from the ability to bypass regular expression filters intended to prevent malicious parameter injection in JDBC connections. Attackers can manipulate spaces between parameters to evade detection, allowing for unauthorized file access and code execution. The vulnerability is addressed in version 3.46.0.8.
Threat Intelligence
EPSS Exploit Probability
95.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-502 Deserialization of Untrusted Data Validation
References 2
- github.com https://github.com/h2oai/h2o-3/commit/f714edd6b8429c7a7211b779b6ec108a95b7382d
- huntr.com https://huntr.com/bounties/0a9d527a-2d39-4bc0-bf01-1e717587f077
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.