CVE-2025-6544 CRITICAL

CVE-2025-6544: Deserialization Vulnerability in h2oai/h2o-3

Vendor H2Oai

Product h2oai/h2o-3

Weakness CWE-502 · Unsafe deserialization

Published September 21, 2025

Last update September 22, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

Key dates

02Disclosure timeline

September 21, 2025 CVE published

September 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-6544

Related vulnerabilities

CVE-2025-6544: Deserialization Vulnerability in h2oai/h2o-3

01Description

02Disclosure timeline

03References

04Related CVE