CVE-2025-6544: H2O affected by a deserialization vulnerability

September 22, 2025

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

References

github.com/advisories/GHSA-5w3j-gwgh-4rfv
github.com/h2oai/h2o-3
github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25
huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40
nvd.nist.gov/vuln/detail/CVE-2025-6544

Code Behaviors & Features

Detect and mitigate CVE-2025-6544 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →