9.8

CVE-2025-6544

Exploit

EPSS 0.42%
Veröffentlicht 21.09.2025 09:00:09
Zuletzt bearbeitet 08.10.2025 20:05:02
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

H2o ≫ H2o Version >= 3.0.0.2 <= 3.46.0.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.618

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40

Third Party Advisory

Exploit

https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-6544

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-6544

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-6544

EUVD