CVE-2024-7768
📋 TL;DR
A denial-of-service vulnerability in h2o-3's ImportFiles endpoint allows attackers to recursively call the endpoint via the 'path' parameter, filling the request queue and making the server unresponsive. This affects all systems running h2o-3 version 3.46.1 with the vulnerable endpoint exposed. The vulnerability requires network access to the endpoint but no authentication.
💻 Affected Systems
- h2oai/h2o-3
📦 What is this software?
H2o by H2o
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability for all users, potentially requiring server restart and causing extended downtime.
Likely Case
Temporary service degradation or unavailability until the malicious requests stop or the server is restarted.
If Mitigated
Minimal impact if endpoint is not exposed or proper rate limiting/input validation is in place.
🎯 Exploit Status
Exploitation requires only a single crafted GET request with recursive path parameter. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.46.2 or later
Vendor Advisory: https://huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6
Restart Required: No
Instructions:
1. Update h2o-3 to version 3.46.2 or later. 2. Verify the update completed successfully. 3. No restart required as this is a code-level fix.
🔧 Temporary Workarounds
Block vulnerable endpoint
allUse web application firewall or reverse proxy to block access to /3/ImportFiles endpoint
# Example nginx location block:
location /3/ImportFiles { deny all; }
# Example Apache .htaccess:
<Location "/3/ImportFiles">
Require all denied
</Location>
Implement rate limiting
allAdd rate limiting to prevent request queue exhaustion
# Example nginx rate limiting:
limit_req_zone $binary_remote_addr zone=importfiles:10m rate=1r/s;
location /3/ImportFiles {
limit_req zone=importfiles burst=5;
}
🧯 If You Can't Patch
- Implement network segmentation to restrict access to the vulnerable endpoint only to trusted sources.
- Deploy a web application firewall with rules to detect and block recursive path parameters in requests.
🔍 How to Verify
Check if Vulnerable:
Check if h2o-3 version is 3.46.1 and the /3/ImportFiles endpoint is accessible. Test with a request containing recursive path parameter.Check Version:
Check h2o-3 version in application logs or via API if available. For Python installations: pip show h2oVerify Fix Applied:
After updating, verify version is 3.46.2 or later and test that recursive path parameters no longer cause DoS.📡 Detection & Monitoring
Log Indicators:
- Multiple rapid requests to /3/ImportFiles endpoint
- Requests with recursive path parameters (e.g., path=../ImportFiles?path=...)
- Increased error rates or timeout messages
Network Indicators:
- Unusual traffic patterns to /3/ImportFiles endpoint
- Multiple GET requests with similar path parameters from single source
SIEM Query:
source="h2o-3" AND (url_path="/3/ImportFiles" AND (path_parameter="*../*" OR request_count > threshold))