Directory Traversal Vulnerability in H2O.ai's Machine Learning Platform
CVE-2024-6854

7.1HIGH

Key Information:

Vendor: H2oai
Status: H2oai/h2o-3
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-6854?

In version 3.46.0 of H2O.ai's H2O-3, a directory traversal flaw exists within the model export endpoint. This vulnerability permits an attacker to export a model to any location on the server's filesystem, potentially overwriting critical files. Although the attacker cannot control the content of the overwritten file, this flaw poses a significant risk, as it can compromise the functionality and integrity of the server.

Affected Version(s)

h2oai/h2o-3 <= unspecified

References

https://huntr.com/bounties/97d013f9-ac51-4c80-8dd7-8dfde1...

CVSS V3.0

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Jul 17, 2024

JSON

H2oai

What is CVE-2024-6854?

Affected Version(s)

References

CVSS V3.0

Timeline