Vulnerability Description
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| H2O | H2O | >= 3.0.0.2, <= 3.46.0.8 |
Related Weaknesses (CWE)
References
- https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25Patch
- https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40ExploitThird Party Advisory
- https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40ExploitThird Party Advisory
FAQ
What is CVE-2025-6544?
CVE-2025-6544 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handlin...
How severe is CVE-2025-6544?
CVE-2025-6544 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-6544?
Check the references section above for vendor advisories and patch information. Affected products include: H2O H2O.