CVE-2025-6544
published 2025-09-21CVE-2025-6544: A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
0.84%
53.2th percentile
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| h2o | h2o | 0 – 3.46.0.7 | — |
| h2o | h2o | 3.0.0.2 – 3.46.0.8 | — |
| h2oai | h2oai_h2o-3 | >= unspecified < 3.46.8 | 3.46.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
H2O affected by a deserialization vulnerability
ghsa·2025-09-22
CVE-2025-6544 [CRITICAL] CWE-502 H2O affected by a deserialization vulnerability
H2O affected by a deserialization vulnerability
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.
OSV
H2O affected by a deserialization vulnerability
osv·2025-09-22
CVE-2025-6544 [CRITICAL] H2O affected by a deserialization vulnerability
H2O affected by a deserialization vulnerability
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-21
Published