CVE-2025-10769

Medium CVSS: 5.3

A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLTable of the component H2 JDBC Driver. Such manipulation of the argument connection_url leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Vendor

H2o

Product

H2o

CWE

CWE-20

Yayın Tarihi

2025-09-21 10:15:48

Güncelleme

2025-10-08 19:58:40

Source Identifier

cna@vuldb.com

KEV Date Added

Kategoriler

CWE-20 H2o MEDIUM H2o 2025

Referanslar

https://github.com/ez-lbz/poc/issues/51 https://github.com/ez-lbz/poc/issues/51#issue-3391023368 https://huntr.com/bounties/4066ce21-7148-44f5-8336-b1674c2f588d https://vuldb.com/?ctiid.325125 https://vuldb.com/?id.325125 https://vuldb.com/?submit.649728 https://vuldb.com/?submit.649793 https://github.com/ez-lbz/poc/issues/51 https://github.com/ez-lbz/poc/issues/51#issue-3391023368 https://huntr.com/bounties/4066ce21-7148-44f5-8336-b1674c2f588d

Benzer Kayıtlar

High

CVE-2025-61684

Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a…

Medium

CVE-2025-10768

A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQ…

Critical

CVE-2025-6544

A deserialization vulnerability exists in h2oai/h2o-3 versions

High

CVE-2024-8616

In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` endpoint allows for arbitrary file overwrite on the target s…

High

CVE-2024-8062

A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint per…

High

CVE-2024-7768

A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of s…