CVE-2025-6544 – Deserialization Vulnerability in H2O-3 By CyberDudeBivash
Overview A critical deserialization vulnerability has been identified in h2oai/h2o-3 versions <= 3.46.0.8 . This flaw allows attackers to: Read arbitrary system files Execute arbitrary code on affected systems The vulnerability stems from improper handling of JDBC connection parameters , which can be exploited by bypassing regex validation using double URL encoding . All users of affected versions are at risk. Technical Details Component Affected : H2O-3 machine learning platform (JDBC connection handling). Vulnerability Type : Insecure deserialization + input validation bypass. Attack Vector : Attacker supplies maliciously crafted JDBC connection parameters . By applying double URL encoding , malicious payloads bypass existing regex filters. Payloads are then deserialized unsafely, allowing attackers to trigger file read or remote code execution (RCE) . Impact : Full system compromise under the context of the H2O process. P...