CVE-2024-5986
Unknown
Unknown - Not Provided
Arbitrary File Write in h2o-3 Enables Remote Code Execution
Publication date: 2026-02-02
Last updated on: 2026-02-02
Assigner: huntr.dev
Description
Description
A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the `/3/Frames/framename/export` endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| h2oai | h2o-3 | 3.46.0.1 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server by exploiting the /3/Parse endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the /3/Frames/framename/export endpoint.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70