A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present in the MySQL JDBC Driver version 8.0.19 and JDK version 8u112. The issue is resolved in version 3.46.0.8.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 03 Sep 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared H2oai
H2oai h2o-3
Vendors & Products H2oai
H2oai h2o-3

Tue, 02 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 02 Sep 2025 11:30:00 +0000

Type Values Removed Values Added
Description A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present in the MySQL JDBC Driver version 8.0.19 and JDK version 8u112. The issue is resolved in version 3.46.0.8.
Title Deserialization Vulnerability in h2oai/h2o-3
Weaknesses CWE-502
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2025-09-02T15:50:21.879Z

Reserved: 2025-06-04T12:47:05.500Z

Link: CVE-2025-5662

cve-icon Vulnrichment

Updated: 2025-09-02T15:50:00.403Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-09-02T12:15:38.420

Modified: 2025-09-02T15:55:25.420

Link: CVE-2025-5662

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-09-03T19:30:37Z