h2oai h2o-3 Denial-of-Service Vulnerability in Typeahead Endpoint

A denial-of-service vulnerability has been identified in h2oai h2o-3 version 3.46.0. The issue arises in the typeahead endpoint, which performs a HEAD request to verify the existence of a specified resource without a timeout. This lack of timeout allows an attacker to send multiple requests to a server they control, causing the application to hang and become unresponsive to other requests.

Impact

Exploitation of this vulnerability leads to a complete denial-of-service, causing the application to become unresponsive.

Reproduction

To reproduce this vulnerability, run the h2o application using 'java -jar h2o.jar'. Then, set up a Flask server that simulates a slow response by sleeping for an extended period. After the server is running, send multiple requests to the h2o typeahead endpoint, targeting the Flask server's slow endpoint. This can be done using a Python script that creates threads to send the requests. Once enough requests are sent, the h2o application will exhaust its available threads, causing all endpoints to become unresponsive.