cbcvebase.
CVE-2025-6544
published 2025-09-21

CVE-2025-6544: A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
0.84%
53.2th percentile
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

Affected

3 ranges
VendorProductVersion rangeFixed in
h2oh2o0 – 3.46.0.7
h2oh2o3.0.0.2 – 3.46.0.8
h2oaih2oai_h2o-3>= unspecified < 3.46.83.46.8
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.