Deserialization flaw in H2O-3 <=3.46.0.8 allows arbitrary code exec
CVE-2025-6544 Published on September 21, 2025
Deserialization Vulnerability in h2oai/h2o-3
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2025-6544 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Affected Versions
h2oai/h2o-3:- Version unspecified and below 3.46.8 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.