CVE-2025-6544

CRITICAL

h2o-3 <= 3.46.0.8 - Open Redirect

Title source: llm

Description

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

References (2)

[Patch] https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40

Scores

CVSS v3 9.8

EPSS 0.0042

EPSS Percentile 61.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (3)

h2o/h2o < 3.46.0.8

ai.h2o/h2o-core Maven

pypi/h2o PyPI

Timeline

Published Sep 21, 2025

Tracked Since Feb 18, 2026