CVE-2024-5550

In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc	Exploit Third Party Advisory
https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:h2o:h2o:3.40.0.4:*:*:*:*:*:*:*

History

15 Oct 2025, 13:15

Type	Values Removed	Values Added
CWE	~~CWE-200~~	CWE-22

12 Feb 2025, 17:31

Type	Values Removed	Values Added
CPE	cpe:2.3:a:h2o:h2o:3.40.0.4:::::python::	cpe:2.3:a:h2o:h2o:3.40.0.4:::::::*

Information

Published : 2024-06-06 19:16

Updated : 2025-10-15 13:15

NVD link : CVE-2024-5550

Mitre link : CVE-2024-5550

CVE.ORG link : CVE-2024-5550

JSON object : View

Products Affected

h2o

h2o

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

NVD-CWE-noinfo

{"id": "CVE-2024-5550", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-06-06T19:16:09.473", "references": [{"url": "https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial."}, {"lang": "es", "value": "En h2oai/h2o-3 versi\u00f3n 3.40.0.4, existe una vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial debido a una funci\u00f3n de b\u00fasqueda de ruta arbitraria del sistema. Esta vulnerabilidad permite a cualquier usuario remoto ver las rutas completas en todo el sistema de archivos donde est\u00e1 alojado h2o-3. Espec\u00edficamente, el problema reside en la llamada API Typeahead, que cuando se solicita con una b\u00fasqueda anticipada de '/', expone el sistema de archivos ra\u00edz, incluidos directorios como /home, /usr, /bin, entre otros. Esta vulnerabilidad podr\u00eda permitir a los atacantes explorar todo el sistema de archivos y, cuando se combina con una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI), podr\u00eda hacer que la explotaci\u00f3n del servidor sea trivial."}], "lastModified": "2025-10-15T13:15:46.893", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:h2o:h2o:3.40.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E57282AC-B36C-452D-968F-DD4B940072BD"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}