A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present in the MySQL JDBC Driver version 8.0.19 and JDK version 8u112. The issue is resolved in version 3.46.0.8.
Metrics
Affected Vendors & Products
References
History
Tue, 02 Sep 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 02 Sep 2025 11:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present in the MySQL JDBC Driver version 8.0.19 and JDK version 8u112. The issue is resolved in version 3.46.0.8. | |
Title | Deserialization Vulnerability in h2oai/h2o-3 | |
Weaknesses | CWE-502 | |
References |
| |
Metrics |
cvssV3_0
|

Status: PUBLISHED
Assigner: @huntr_ai
Published:
Updated: 2025-09-02T15:50:21.879Z
Reserved: 2025-06-04T12:47:05.500Z
Link: CVE-2025-5662

Updated: 2025-09-02T15:50:00.403Z

Status : Awaiting Analysis
Published: 2025-09-02T12:15:38.420
Modified: 2025-09-02T15:55:25.420
Link: CVE-2025-5662

No data.

No data.