Home/Product/h2o
Product

h2o

41 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-61684
< 2026-01-18
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840
7.5HIGH
 CVE-2025-10769
>= 3.0.0.2 and <= 3.46.0.8
A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLTable of th
6.3MEDIUM
 CVE-2025-10768
>= 3.0.0.2 and <= 3.46.0.8
A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQLTable of
6.3MEDIUM
 CVE-2025-6544
>= 3.0.0.2 and <= 3.46.0.8
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and
9.8CRITICAL
 CVE-2024-8616
all versions
In h2oai/h2o-3 version 3.46.0, the /99/Models/{name}/json endpoint allows for arbitrary file overwrite on the target server. The
8.2HIGH
 CVE-2024-8062
all versions
A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a `H
7.5HIGH
 CVE-2024-7768
all versions
A vulnerability in the /3/ImportFiles endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. Th
7.5HIGH
 CVE-2024-7765
all versions
In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denia
7.5HIGH
 CVE-2024-6863
all versions
In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target
6.5MEDIUM
 CVE-2024-6854
all versions
In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to ex
7.1HIGH
 CVE-2024-10572
all versions
In h2oai/h2o-3 version 3.46.0.1, the run_tool command exposes classes in the water.tools package through the ast parser. Thi
7.5HIGH
 CVE-2024-10553
all versions
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code vi
9.8CRITICAL
 CVE-2024-10550
all versions
A vulnerability in the /3/ParseSetup endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The e
7.5HIGH
 CVE-2024-10549
all versions
A vulnerability in the /3/Parse endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoi
7.5HIGH
 CVE-2024-45403
>= 2024-06-18 and < 2024-09-04
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests
3.7LOW
 CVE-2024-45397
< 2024-10-10
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fa
5.9MEDIUM
 CVE-2024-25622
<= 2024-02-11
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler a
3.1LOW
 CVE-2024-8862
all versions
A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConn
7.3HIGH
 CVE-2024-45758
<= 3.46.0.4
H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and
9.1CRITICAL
 CVE-2024-5979
all versions
In h2oai/h2o-3 version 3.46.0, the run_tool command in the rapids component allows the main function of any class under the
7.5HIGH
 CVE-2024-5550
all versions
In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup
5.3MEDIUM
 CVE-2024-1456
all versions
An S3 bucket takeover vulnerability was identified in the h2oai/h2o-3 repository. The issue involves the S3 bucket 'http://s3.amaz
7.1HIGH
 CVE-2023-6569
all versions
External Control of File Name or Path in h2oai/h2o-3
8.2HIGH
 CVE-2023-50247
<= 2.2.6
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The QUIC stack (quicly), as used by H2O up to commit 43f86e5 (
3.7LOW
 CVE-2023-41337
<= 2.2.6
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to li
6.1MEDIUM
 CVE-2023-6038
all versions
A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitra
7.5HIGH
 CVE-2023-6017
all versions
H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL.
7.1HIGH
 CVE-2023-6013
all versions
H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack.
5.4MEDIUM
 CVE-2023-6016
all versions
An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO model import feature.
9.8CRITICAL
 CVE-2023-44487
< 2023-10-10
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q
7.5HIGH
 CVE-2023-30847
<= 2.2.6
H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of inva
8.2HIGH
 CVE-2021-43848
< 2021-12-20
h2o is an open source http server. In code prior to the 8c0eca3 commit h2o may attempt to access uninitialized memory. When rece
7.4HIGH
 CVE-2018-0608
<= 2.2.4
Buffer overflow in H2O version 2.2.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (D
9.8CRITICAL
 CVE-2017-10908
<= 2.2.3
H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/2 head
7.5HIGH
 CVE-2017-10872
<= 2.2.3
H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via unspecified vectors.
6.5MEDIUM
 CVE-2017-10869
<= 2.2.2
Buffer overflow in H2O version 2.2.2 and earlier allows remote attackers to cause a denial-of-service in the server via unspecifie
7.5HIGH
 CVE-2017-10868
< 2.2.3
H2O version 2.2.2 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/1 head
7.5HIGH
 CVE-2016-7835
<= 2.0.4
Use-after-free vulnerability in H2O allows remote attackers to cause a denial-of-service (DoS) or obtain server certificate privat
9.1CRITICAL
 CVE-2016-4864
>= 2.0.0 and <= 2.0.3
H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format s
7.5HIGH
 CVE-2016-4817
<= 1.7.2
lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 mishandles HTTP/2 disconnection, which allows remote attacke
7.5HIGH
 CVE-2016-1133
<= 1.6.1
CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 all
3.7LOW
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin