CVE-2024-10553

🗓️ 20 Mar 2025 10:09:04Reported by @huntr_aiType

cve🔗 web.nvd.nist.gov👁 58 Views🌐 WEB

Vulnerability in h2oai/h2o-3 REST API allows code execution via deserialization of untrusted data.

Reporter	Title	Published	Views	Family All 19
Huntr	Mysql Jdbc Attck about CVE-2024-45758 and CVE-2024-10553 Bypass	3 Jun 202505:09	–	huntr
Circl	CVE-2024-10553	20 Mar 202511:40	–	circl
CNNVD	H2O 代码问题漏洞	20 Mar 202500:00	–	cnnvd
Cvelist	CVE-2024-10553 Jdbc Deserialization in h2oai/h2o-3	20 Mar 202510:09	–	cvelist
EUVD	EUVD-2025-7107	3 Oct 202520:07	–	euvd
Github Security Blog	H2O Deserialization of Untrusted Data Vulnerability	20 Mar 202512:32	–	github
GitLab Advisory Database	H2O Deserialization of Untrusted Data Vulnerability	20 Mar 202500:00	–	gitlab
NVD	CVE-2024-10553	20 Mar 202510:15	–	nvd
OSV	GHSA-H7XG-CMPP-48HF H2O Deserialization of Untrusted Data Vulnerability	20 Mar 202512:32	–	osv
Positive Technologies	PT-2025-12046	20 Mar 202500:00	–	ptsecurity

NVD

Vulners

Node

h2o h2oMatch3.46.0.4

[
  {
    "vendor": "h2oai",
    "product": "h2oai/h2o-3",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "3.47.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
huntr	www.huntr.com/bounties/e6f550dd-eda2-428c-a740-ed8f893a084b
github	www.github.com/h2oai/h2o-3/commit/ac1d642b4d86f10a02d75974055baf2a4b2025ac

Parameter	Position	Path	Description	CWE
jdbcUrl	request body	/99/ImportSQLTable	Deserialization vulnerability via untrusted JDBC URL to DriverManager.getConnection in ImportSQLTable endpoint.	CWE-502
jdbcUrl	request body	/3/SaveToHiveTable	Deserialization vulnerability via untrusted JDBC URL to DriverManager.getConnection in SaveToHiveTable endpoint.	CWE-502

14 Jul 2025 13:43Current

8High risk

Vulners AI Score8

CVSS 39.8

EPSS0.02857

SSVC

CWE-502