CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-7768: Denial of Service in h2oai/h2o-3

7.5 CVSS

Description

A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

Classification

CVE ID: CVE-2024-7768

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-400 Uncontrolled Resource Consumption

Affected Products

Vendor: h2oai

Product: h2oai/h2o-3

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.01% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-7768
https://huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6

Timeline

2025-03-20 11:40:32 UTC
CVE

Denial of Service in h2oai/h2o-3