{ "schema_version": "1.4.0", "id": "GHSA-5c8j-g96x-cj78", "modified": "2025-03-20T20:29:11Z", "published": "2025-03-20T12:32:47Z", "aliases": [ "CVE-2024-8062" ], "summary": "H2O Vulnerable to Denial of Service (DoS) via `HEAD` Request", "details": "A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a `HEAD` request to verify the existence of a specified resource without setting a timeout. An attacker can exploit this by sending multiple requests to an attacker-controlled server that hangs, causing the application to block and become unresponsive to other requests.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "h2o" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.2.0.1" }, { "last_affected": "3.46.0" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "ai.h2o:h2o-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.2.0.1" }, { "last_affected": "3.46.0" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8062" }, { "type": "PACKAGE", "url": "https://github.com/h2oai/h2o-3" }, { "type": "WEB", "url": "https://github.com/h2oai/h2o-3/blob/047a4d617240a56e74f834207c65973d133391cb/h2o-core/src/main/java/water/persist/PersistManager.java#L302" }, { "type": "WEB", "url": "https://huntr.com/bounties/a04190d9-4acb-449a-9a7f-f1bf6be1ed23" } ], "database_specific": { "cwe_ids": [ "CWE-1088" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-20T20:29:11Z", "nvd_published_at": "2025-03-20T10:15:40Z" } }