EUVD-2025-6978

Malicious code in bioql PyPI...

Arbitrary File Overwrite

ai.h2o, h2o-core is vulnerable to Arbitrary File Overwrite. The vulnerability is due to a lack of export location restrictions in the model export endpoint, allowing an attacker to overwrite arbitrary files on the server...

CVE-2024-6854

In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a...

GHSA-47F6-5P7H-5F3H H2O Vulnerable to Arbitrary File Overwrite via File Export

In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the endpoint for exporting models. An attacker can overwrite any file on the target server by exporting a model to any file in the server's file structure. Note: This vulnerability requires there to be a model th...

H2O Vulnerable to Arbitrary File Overwrite via File Export

In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a...

CVE-2024-6854

In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a...

CVE-2024-6854

CVE-2024-6854 affects h2oai/h2o-3 (v3.46.0). The export-model endpoint does not restrict the destination path, enabling an attacker to export a model to arbitrary locations on the server’s filesystem and overwrite files. The overwrite target content is not controllable by the attacker, but the at...

H2O 安全漏洞

H2O is an in-memory platform for distributed, scalable machine learning open-sourced by H2O.ai. A security vulnerability exists in H2O version 3.46.0 that stems from a model export endpoint that does not restrict the export location, which could lead to arbitrary file overwrites...

H2O Vulnerable to Arbitrary File Overwrite via File Export

In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a...

H2O-3 Arbitrary File Overwrite (CVE-2024-6854)

An arbitrary file overwrite vulnerability exists in H2O-3. The endpoint that allows for exporting models & does not limit where models can be exported to. As such an attacker can export a model to any file in the server file structure, overwriting it, by simply using the force flag. Note that...