Remote Code Execution Vulnerability in h2o-3 REST API by h2oai
CVE-2024-10553

9.8CRITICAL

Key Information:

Vendor: H2oai
Status: H2oai/h2o-3
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-10553?

A vulnerability in the h2o-3 REST API allows unauthenticated remote attackers to execute arbitrary code by exploiting deserialization of untrusted data. This occurs specifically in the POST /99/ImportSQLTable and POST /3/SaveToHiveTable endpoints, where user-controlled JDBC URLs are improperly passed to DriverManager.getConnection. If a MySQL or PostgreSQL driver is present in the classpath, it can lead to serious security implications. This issue has been addressed in h2o-3 version 3.47.0, and users are advised to upgrade to mitigate potential threats.

Affected Version(s)

h2oai/h2o-3 < 3.47.0

References

https://huntr.com/bounties/e6f550dd-eda2-428c-a740-ed8f89...

https://github.com/h2oai/h2o-3/commit/ac1d642b4d86f10a02d...

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Oct 30, 2024

JSON

H2oai

What is CVE-2024-10553?

Affected Version(s)

References

CVSS V3.0

Timeline