CVE-2025-6544
NONE EPSS 53.2%
Published Sep 21, 20259mo ago · Modified Jun 17, 20262w ago
Published Sep 21, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago
Description
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.
Threat Intelligence
EPSS Exploit Probability
53.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-502 Deserialization of Untrusted Data Validation
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| h2o | h2o | * | ≥3.0.0.2 – ≤3.46.0.8 |
References 2
- github.com https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25
- huntr.com https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40
Remediation
- github.com https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25