CVE-2024-10549

A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple simultaneous requests, an attacker can exhaust all available threads, leading to a complete denial of service.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/ce7bd2d6-fd38-440d-a91a-dd8f3fc06bc2	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:h2o:h2o:3.46.0.1:*:*:*:*:*:*:*

History

14 Jul 2025, 13:53

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad en el endpoint `/3/Parse` de h2oai/h2o-3 versión 3.46.0.1 permite un ataque de denegación de servicio (DoS). El endpoint utiliza una cadena especificada por el usuario para construir una expresión regular, que posteriormente se aplica a otra cadena especificada por el usuario. Al enviar múltiples solicitudes simultáneas, un atacante puede agotar todos los subprocesos disponibles, lo que provoca una denegación de servicio completa.
CPE		cpe:2.3:a:h2o:h2o:3.46.0.1:::::::*
First Time		H2o H2o h2o
References	~~() https://huntr.com/bounties/ce7bd2d6-fd38-440d-a91a-dd8f3fc06bc2 -~~	() https://huntr.com/bounties/ce7bd2d6-fd38-440d-a91a-dd8f3fc06bc2 - Exploit, Third Party Advisory

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-07-14 13:53

NVD link : CVE-2024-10549

Mitre link : CVE-2024-10549

CVE.ORG link : CVE-2024-10549

JSON object : View

Products Affected

h2o

CWE

CWE-400

Uncontrolled Resource Consumption

7.5 /10