CVE-2024-7768

A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:h2o:h2o:3.46.1:*:*:*:*:*:*:*

History

15 Jul 2025, 15:50

Type	Values Removed	Values Added
First Time		H2o H2o h2o
CPE		cpe:2.3:a:h2o:h2o:3.46.1:::::::*
Summary		(es) Una vulnerabilidad en el endpoint `/3/ImportFiles` de h2oai/h2o-3 versión 3.46.1 permite a un atacante provocar una denegación de servicio. El endpoint utiliza un único parámetro GET, `path`, que puede configurarse recursivamente para que se autoreferencia. Esto provoca que el servidor llame repetidamente a su propio endpoint, lo que acaba saturando la cola de solicitudes y dejando al servidor incapacitado para gestionar otras solicitudes.
References	~~() https://huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6 -~~	() https://huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6 - Exploit, Third Party Advisory

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-07-15 15:50

NVD link : CVE-2024-7768

Mitre link : CVE-2024-7768

CVE.ORG link : CVE-2024-7768

JSON object : View

Products Affected

h2o

CWE

CWE-400

Uncontrolled Resource Consumption

7.5 /10