CVE-2025-6544

NONE EPSS 53.2%
Published Sep 21, 20259mo ago · Modified Jun 17, 20262w ago
Find Similar
Published Sep 21, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

Threat Intelligence

EPSS Exploit Probability
53.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 1

VendorProductVersionRange
h2oh2o*≥3.0.0.2  –  ≤3.46.0.8

References 2

  • github.com https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25
    Patch
  • huntr.com https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25
    Patch