Description

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

INFO

Published Date :

2025-09-21T09:00:09.724Z

Last Modified :

2025-09-22T17:23:25.409Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2025-6544 vulnerability.

Vendors Products
H2o
  • H2o
H2oai
  • H2o-3
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-6544.

URL Resource
https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25 cve-icon cve-icon
https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact