CVE-2024-10550
published 2025-03-20CVE-2024-10550: A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint applies a…
PriorityP339high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
0.59%
43.7th percentile
A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint applies a user-specified regular expression to a user-controllable string. This can be exploited by an attacker to cause inefficient regular expression complexity, leading to the exhaustion of server resources and making the server unresponsive.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| h2o | h2o | — | — |
| h2o | h2o | 3.30.0.7 – 3.46.0.1 | — |
| h2oai | h2oai_h2o-3 | unspecified – latest | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint
ghsa·2025-03-20
CVE-2024-10550 [HIGH] CWE-1333 H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint
H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint
A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint applies a user-specified regular expression to a user-controllable string. This can be exploited by an attacker to cause inefficient regular expression complexity, leading to the exhaustion of server resources and making the server unresponsive.
OSV
H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint
osv·2025-03-20
CVE-2024-10550 [HIGH] H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint
H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint
A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint applies a user-specified regular expression to a user-controllable string. This can be exploited by an attacker to cause inefficient regular expression complexity, leading to the exhaustion of server resources and making the server unresponsive.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published