Remote Code Execution Vulnerability in H2O-3 REST API by H2O.ai
CVE-2025-5662

9.8CRITICAL

Key Information:

Vendor: H2oai
Status: H2oai/h2o-3
Vendor: CVE Published:; 2 September 2025

What is CVE-2025-5662?

A deserialization vulnerability found in the H2O-3 REST API allows attackers to exploit improper validation of JDBC connection parameters, leading to remote code execution. This issue affects all versions of H2O-3 prior to 3.46.0.8 and is associated with the MySQL JDBC Driver version 8.0.19 and JDK version 8u112. The vulnerability presents significant risks by enabling unauthorized commands to be executed in the application context, highlighting the importance of updating to the patched version 3.46.0.8 to mitigate potential threats.

Affected Version(s)

h2oai/h2o-3 < 3.46.0.8

References

https://huntr.com/bounties/057a743b-b2ec-4312-8262-ce0ff8...

https://github.com/h2oai/h2o-3/commit/f714edd6b8429c7a721...

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 2, 2025
Vulnerability Reserved
Jun 4, 2025

JSON

H2oai

What is CVE-2025-5662?

Affected Version(s)

References

CVSS V3.0

Timeline