CVE-2024-7768 HIGH

CVE-2024-7768: Denial of Service in h2oai/h2o-3

Vendor H2Oai
Product h2oai/h2o-3
Weakness CWE-770 · Uncontrolled resource consumption
Published March 20, 2025
Last update October 15, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
October 15, 2025 Record updated