GHSA-p2vc-m5fv-9w9m

Source

https://github.com/advisories/GHSA-p2vc-m5fv-9w9m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-p2vc-m5fv-9w9m/GHSA-p2vc-m5fv-9w9m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p2vc-m5fv-9w9m

Aliases

CVE-2024-7768

Published

2025-03-20T12:32:46Z

Modified

2025-10-16T08:07:08.148673Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

H2O Vulnerable to Denial of Service (DoS) via `/3/ImportFiles` Endpoint

Details

A vulnerability in the /3/ImportFiles endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, path, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-20T20:04:27Z",
    "severity": "HIGH",
    "nvd_published_at": "2025-03-20T10:15:37Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ]
}

References

Affected packages

PyPI / h2o

Package

Name: h2o; View open source insights on deps.dev
Purl: pkg:pypi/h2o

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.46.1

Affected versions

3.*

3.10.0.3

3.10.0.6

3.10.0.7

3.10.0.8

3.10.0.10

3.10.3.3

3.10.3.4

3.10.4.1

3.10.4.2

3.10.4.3

3.10.4.4

3.10.4.6

3.10.4.8

3.16.0.1

3.16.0.2

3.16.0.3

3.16.0.4

3.18.0.1

3.18.0.2

3.18.0.3

3.18.0.4

3.18.0.5

3.18.0.6

3.18.0.7

3.18.0.8

3.18.0.9

3.18.0.10

3.18.0.11

3.20.0.4

3.20.0.5

3.20.0.6

3.20.0.7

3.20.0.8

3.22.0.1

3.22.0.2

3.22.0.3

3.22.0.4

3.22.0.5

3.22.1.1

3.22.1.2

3.22.1.3

3.22.1.4

3.22.1.5

3.22.1.6

3.24.0.1

3.24.0.2

3.24.0.3

3.24.0.4

3.24.0.5

3.26.0.1

3.26.0.2

3.26.0.3

3.26.0.4

3.26.0.5

3.26.0.6

3.26.0.8

3.26.0.9

3.26.0.10

3.26.0.11

3.28.0.1

3.28.0.2

3.28.0.3

3.28.1.2

3.28.1.3

3.30.0.1

3.30.0.2

3.30.0.3

3.30.0.4

3.30.0.5

3.30.0.6

3.30.0.7

3.30.1.1

3.30.1.2

3.30.1.3

3.32.0.2

3.32.0.3

3.32.0.4

3.32.0.5

3.32.1.1

3.32.1.2

3.32.1.3

3.32.1.4

3.32.1.5

3.32.1.6

3.32.1.7

3.34.0.3

3.34.0.7

3.34.0.8

3.36.0.2

3.36.0.3

3.36.0.4

3.36.1.1

3.36.1.2

3.36.1.3

3.36.1.4

3.36.1.5

3.38.0.1

3.38.0.2

3.38.0.3

3.38.0.4

3.40.0.1

3.40.0.2

3.40.0.3

3.40.0.4

3.42.0.1

3.42.0.2

3.42.0.3

3.42.0.4

3.44.0.1

3.44.0.2

3.44.0.3

3.46.0.1

3.46.0.2

3.46.0.3

3.46.0.4

3.46.0.5

3.46.0.6

3.46.0.7

3.46.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-p2vc-m5fv-9w9m/GHSA-p2vc-m5fv-9w9m.json"

Maven / ai.h2o:h2o-core

Package

Name: ai.h2o:h2o-core; View open source insights on deps.dev
Purl: pkg:maven/ai.h2o/h2o-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.46.1

Affected versions

0.*

0.1.3

0.1.3.1

0.1.4

0.1.5

0.1.6

0.1.8

0.1.9

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.20

0.1.21

0.1.22

0.1.23

0.1.24

0.1.25

0.2.3.5

0.2.3.6

0.3.0.2

3.*

3.0.0.5

3.0.0.8

3.0.0.12

3.0.0.16

3.0.0.18

3.0.0.19

3.0.0.22

3.0.0.25

3.0.0.26

3.0.0.30

3.0.1.2

3.0.1.3

3.0.1.4

3.2.0.1

3.2.0.2

3.2.0.3

3.2.0.4

3.2.0.5

3.2.0.6

3.2.0.7

3.2.0.8

3.2.0.9

3.4.0.1

3.6.0.1

3.6.0.2

3.6.0.3

3.6.0.4

3.6.0.5

3.6.0.7

3.6.0.8

3.6.0.10

3.6.0.11

3.6.0.12

3.8.0.1

3.8.0.2

3.8.0.3

3.8.0.4

3.8.0.5

3.8.0.6

3.8.1.1

3.8.1.2

3.8.1.3

3.8.1.4

3.8.2.1

3.8.2.2

3.8.2.3

3.8.2.4

3.8.2.5

3.8.2.6

3.8.2.7

3.8.2.8

3.8.2.9

3.8.2.11

3.8.3.1

3.8.3.2

3.8.3.3

3.8.3.4

3.10.0.1

3.10.0.2