CVE-2024-7768: H2O Vulnerable to Denial of Service (DoS) via `/3/ImportFiles` Endpoint

March 20, 2025

A vulnerability in the /3/ImportFiles endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, path, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

References

github.com/advisories/GHSA-p2vc-m5fv-9w9m
github.com/h2oai/h2o-3
github.com/h2oai/h2o-3/blob/7d418fa19d3ab434f742818e37f891bef9102c97/h2o-core/src/main/java/water/api/ImportFilesHandler.java
huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6
nvd.nist.gov/vuln/detail/CVE-2024-7768

Detect and mitigate CVE-2024-7768 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →