CVE-2025-6544 | THREATINT

Description

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

PUBLISHED Reserved 2025-06-23 | Published 2025-09-21 | Updated 2025-09-22 | Assigner @huntr_ai

CRITICAL: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Any version before 3.46.8

affected

References

huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40 exploit

huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40

github.com/...ommit/0298ee348f5c73673b7b542158081e79605f5f25

cve.org (CVE-2025-6544)

nvd.nist.gov (CVE-2025-6544)

Download JSON