EUVD-2025-6978

Malicious code in bioql PyPI...

EUVD-2025-6929

Malicious code in bioql PyPI...

H2O Vulnerable to Arbitrary File Overwrite

In h2oai/h2o-3 version 3.46.0, the /99/Models/name/json endpoint allows for arbitrary file overwrite on the target server. The vulnerability arises from the exportModelDetails function in ModelsHandler.java, where the user-controllable mexport.dir parameter is used to specify the file path for...

GHSA-47F6-5P7H-5F3H H2O Vulnerable to Arbitrary File Overwrite via File Export

In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a...

H2O Vulnerable to Arbitrary File Overwrite via File Export

In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a...

CVE-2024-8062

A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a HEAD request to verify the existence of a specified resource without setting a timeout. An attacker can exploit this by sending multiple requests to an attacker-controll...

CVE-2024-6863

In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it possible for an attacke...

CVE-2024-6854

In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a...

CVE-2024-8062

CVE-2024-8062 affects the h2oai/h2o-3 package (version 3.46.0) via the typeahead endpoint. The vulnerability arises when the endpoint uses a HEAD request to verify resource existence without a timeout, which can be exploited by sending many requests to an attacker‑controlled server that hangs, ca...

CVE-2024-8062 Denial of Service in h2oai/h2o-3

A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a HEAD request to verify the existence of a specified resource without setting a timeout. An attacker can exploit this by sending multiple requests to an attacker-controll...

H2O 安全漏洞

H2O is an in-memory platform for distributed, scalable machine learning open-sourced by H2O.ai. A security vulnerability exists in H2O version 3.46.0, which stems from a custom encryption tool endpoint that does not restrict encrypted files, potentially leading to ransomware behavior...

GHSA-58M3-RCVP-F9WW h2o vulnerable to unexpected POST request shutting down server

In h2oai/h2o-3 version 3.46.0, the runtool command in the rapids component allows the main function of any class under the water.tools namespace to be called. One such class, MojoConvertTool, crashes the server when invoked with an invalid argument, causing a denial of service...

CVE-2024-5979

CVE-2024-5979 affects h2oai/h2o-3 (version 3.46.0). The issue arises in the rapids component: the run_tool command can invoke the main() of any class under water.tools, enabling MojoConvertTool to crash the server and cause denial of service. Exploitation details are not provided in the sources; ...

h2o Resource Management Error Vulnerability

h2o is a new generation of HTTP server. Not only is it very fast compared to older generation HTTP servers, but it also provides faster responses to end users. A resource management error vulnerability exists in h2o-3 version 3.46.0. An attacker exploiting this vulnerability could cause the serve...