CVE-2024-7768 – ai.h2o:h2o-core

Package

Manager: maven
Name: ai.h2o:h2o-core
Vulnerable Version: >=0 <=3.46.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00145 pctl0.35529

Details

H2O Vulnerable to Denial of Service (DoS) via `/3/ImportFiles` Endpoint A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

Metadata

Created: 2025-03-20T12:32:46Z
Modified: 2025-03-20T20:04:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-p2vc-m5fv-9w9m/GHSA-p2vc-m5fv-9w9m.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-p2vc-m5fv-9w9m
Finding: F002
Auto approve: 1