CVE-2024-7765 – This vulnerability in h2oai/h2o-3 allows attack... (How to Fix)

Q: What is the severity of CVE-2024-7765?

CVE-2024-7765 has a CVSS score of 7.5 (HIGH). This vulnerability in h2oai/h2o-3 allows attackers to cause denial of service by uploading specially crafted large GZIP files. The server becomes unresponsive due to memory exhaustion and excessive concurrent slow-running jobs. Organizations using h2o-3 version 3.46.0.2 for machine learning operations are affected.

📋 TL;DR

This vulnerability in h2oai/h2o-3 allows attackers to cause denial of service by uploading specially crafted large GZIP files. The server becomes unresponsive due to memory exhaustion and excessive concurrent slow-running jobs. Organizations using h2o-3 version 3.46.0.2 for machine learning operations are affected.

💻 Affected Systems

Products:

h2oai/h2o-3

Versions: Version 3.46.0.2

Operating Systems: All platforms running h2o-3

Default Config Vulnerable: ⚠️ Yes

Notes: Any h2o-3 deployment with file upload capabilities enabled is vulnerable. The vulnerability is triggered through the file parsing functionality.

📦 What is this software?

H2o by H2o

View all CVEs affecting H2o →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage with server becoming completely unresponsive, requiring manual intervention and restart, potentially disrupting critical ML workflows and production systems.

🟠

Likely Case

Degraded performance and intermittent service disruptions affecting ML model training and inference capabilities, leading to operational delays.

🟢

If Mitigated

Minimal impact with proper file upload controls and monitoring in place, potentially causing temporary performance degradation but no complete outage.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to upload files to the h2o-3 instance. The vulnerability leverages data amplification through improper GZIP handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.46.0.3 or later

Vendor Advisory: https://huntr.com/bounties/0e58b1a5-bdca-4e60-af92-09de9c76a9ff

Restart Required: No

Instructions:

1. Upgrade h2o-3 to version 3.46.0.3 or later. 2. Update using pip: pip install h2o==3.46.0.3. 3. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict File Uploads

all

Implement strict file upload controls and validation to prevent large GZIP files from being processed.

Resource Limiting

all

Configure memory limits and job concurrency restrictions to prevent resource exhaustion.

🧯 If You Can't Patch

Implement strict file upload validation to reject large GZIP files
Deploy rate limiting and monitoring for file upload endpoints

🔍 How to Verify

Check if Vulnerable:

Check if h2o-3 version is exactly 3.46.0.2. Review system logs for memory exhaustion events or slow job processing.

Check Version:

python -c "import h2o; print(h2o.__version__)"

Verify Fix Applied:

Verify h2o-3 version is 3.46.0.3 or later. Test file upload functionality with various GZIP files to ensure stability.

📡 Detection & Monitoring

Log Indicators:

Memory exhaustion warnings
Slow job processing alerts
High CPU usage spikes
File upload failures

Network Indicators:

Unusually large file uploads to h2o-3 endpoints
Increased network traffic to ML service

SIEM Query:

source="h2o-3" AND ("memory" OR "slow" OR "upload") AND severity>=WARNING

📊 Metadata

CVE ID: CVE-2024-7765

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-409

EPSS Score: 0.17% exploit probability (38.1th percentile)

Published: March 20, 2025

Last Updated: April 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7765, you might also want to check these: