CVE-2024-7768

HIGH

h2oai/h2o-3 3.46.1 - Denial of Service via Recursive Path Parameter in ImportFiles Endpoint

Title source: llm

Description

A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6

Scores

CVSS v3 7.5

EPSS 0.0051

EPSS Percentile 66.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

ai.h2o/h2o-core 0Maven

h2o/h2o 3.46.1

pypi/h2o 0PyPI

Published Mar 20, 2025

Tracked Since Feb 18, 2026