H2O.ai H2O-3 Denial-of-Service Vulnerability via Large GZIP File Uploads

Vulnerability

A denial-of-service vulnerability has been identified in H2O.ai H2O-3 version 3.46.0.2. The issue arises when a large GZIP file is uploaded and repeatedly parsed, causing the server to become unresponsive. This unresponsiveness is due to memory exhaustion and a high number of concurrent, slow-running jobs. The vulnerability stems from improper handling of highly compressed data, which leads to significant data amplification.

Impact

Exploitation of this vulnerability causes memory exhaustion, leading to server unresponsiveness. Additionally, it creates a large number of concurrent jobs that run slowly, further degrading server performance.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

H2O.ai H2O-3 Denial-of-Service Vulnerability via Large GZIP File Uploads

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating