CVE-2025-5662 CRITICAL

CVE-2025-5662: Deserialization Vulnerability in h2oai/h2o-3

Vendor H2Oai

Product h2oai/h2o-3

Weakness CWE-502 · Unsafe deserialization

Published September 2, 2025

Last update September 2, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present in the MySQL JDBC Driver version 8.0.19 and JDK version 8u112. The issue is resolved in version 3.46.0.8.

Key dates

02Disclosure timeline

September 2, 2025 CVE published

September 2, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-5662 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

CVE-2025-5662: Deserialization Vulnerability in h2oai/h2o-3

01Description

02Disclosure timeline

03References

04Related CVE