CVE-2024-5979: h2o vulnerable to unexpected POST request shutting down server

June 27, 2024 (updated October 15, 2025)

In h2oai/h2o-3 version 3.46.0, the run_tool command in the rapids component allows the main function of any class under the water.tools namespace to be called. One such class, MojoConvertTool, crashes the server when invoked with an invalid argument, causing a denial of service.

References

github.com/advisories/GHSA-58m3-rcvp-f9ww
github.com/h2oai/h2o-3
github.com/h2oai/h2o-3/commit/d0899f8e0f7a584b60405a65b1d7b439aaaa55a5
huntr.com/bounties/d80a2139-fc03-44b7-b739-de41e323b458
nvd.nist.gov/vuln/detail/CVE-2024-5979

Code Behaviors & Features

Detect and mitigate CVE-2024-5979 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →