CVE-2025-5662
BaseFortify
Publication date: 2025-09-02
Last updated on: 2025-09-02
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| h2o-3 | h2o | 3.46.0 |
| oracle | java_development_kit | 8u112 |
| mysql | mysql_connector_j | 8.0.19 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a deserialization flaw in the H2O-3 REST API (specifically the POST /99/ImportSQLTable endpoint) that affects all versions up to 3.46.0.7. It allows an attacker to execute remote code by exploiting improper validation of JDBC connection parameters when using a Key-Value format. The issue is linked to the MySQL JDBC Driver version 8.0.19 and JDK version 8u112, and it is fixed in version 3.46.0.8.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on the affected system, allowing an attacker to run arbitrary code with potentially high privileges. This can compromise the confidentiality, integrity, and availability of the system and data, leading to severe security breaches.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the H2O-3 software to version 3.46.0.8 or later, as this version resolves the vulnerability. Additionally, ensure that the MySQL JDBC Driver is updated beyond version 8.0.19 and that the JDK version is updated beyond 8u112 to avoid the vulnerable components.