CVE-2024-8062 – This vulnerability in h2oai/h2o-3 version 3.46.... (How to Fix)

Q: What is the severity of CVE-2024-8062?

CVE-2024-8062 has a CVSS score of 7.5 (HIGH). This vulnerability in h2oai/h2o-3 version 3.46.0 allows attackers to cause denial of service by exploiting the typeahead endpoint's lack of timeout on HEAD requests. Attackers can send requests to controlled servers that hang indefinitely, blocking the application from processing legitimate requests. Anyone running the vulnerable version with the typeahead endpoint accessible is affected.

📋 TL;DR

This vulnerability in h2oai/h2o-3 version 3.46.0 allows attackers to cause denial of service by exploiting the typeahead endpoint's lack of timeout on HEAD requests. Attackers can send requests to controlled servers that hang indefinitely, blocking the application from processing legitimate requests. Anyone running the vulnerable version with the typeahead endpoint accessible is affected.

💻 Affected Systems

Products:

h2oai/h2o-3

Versions: Version 3.46.0 specifically

Operating Systems: All operating systems running h2o-3

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration when the typeahead endpoint is accessible. No special configuration is required for exploitation.

📦 What is this software?

H2o by H2o

View all CVEs affecting H2o →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability, making the service inaccessible to all users until manual intervention restarts the application.

🟠

Likely Case

Degraded performance and intermittent service disruptions as multiple requests hang, consuming server resources and blocking legitimate traffic.

🟢

If Mitigated

Minimal impact with proper network segmentation and request timeouts limiting the attack surface and duration of any disruption.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exposed to attackers who can easily send malicious requests to trigger the DoS condition.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems, but have reduced exposure compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and minimal technical skill - attackers only need to send HEAD requests to controlled servers that hang.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.46.0.1 or later

Vendor Advisory: https://huntr.com/bounties/a04190d9-4acb-449a-9a7f-f1bf6be1ed23

Restart Required: Yes

Instructions:

1. Update h2o-3 to version 3.46.0.1 or later using pip: 'pip install --upgrade h2o==3.46.0.1' 2. Restart the h2o-3 application to apply the fix.

🔧 Temporary Workarounds

Implement network-level request filtering

all

Block or rate-limit requests to the typeahead endpoint at the network/firewall level

Add application-level timeout

all

Implement request timeout configuration in the application layer for HEAD requests

🧯 If You Can't Patch

Disable or restrict access to the typeahead endpoint using firewall rules or application configuration
Implement rate limiting and request monitoring to detect and block suspicious patterns of HEAD requests

🔍 How to Verify

Check if Vulnerable:

Check if running h2o-3 version 3.46.0 by examining the installed package version

Check Version:

python -c "import h2o; print(h2o.__version__)"

Verify Fix Applied:

Verify h2o-3 version is 3.46.0.1 or later and test that HEAD requests to typeahead endpoint now timeout properly

📡 Detection & Monitoring

Log Indicators:

Multiple long-running HEAD requests to typeahead endpoint
Increased response times or timeouts for legitimate requests
Application logs showing hung requests

Network Indicators:

Unusual patterns of HEAD requests to the typeahead endpoint
Requests to suspicious external domains from the application

SIEM Query:

source="h2o-logs" AND (request_type="HEAD" AND endpoint="/typeahead" AND duration>30s)

📊 Metadata

CVE ID: CVE-2024-8062

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1088

EPSS Score: 0.1% exploit probability (28.1th percentile)

Published: March 20, 2025

Last Updated: March 26, 2025

🔗 References

https://huntr.com/bounties/a04190d9-4acb-449a-9a7f-f1bf6be1ed23 Exploit,Third Party Advisory
https://huntr.com/bounties/a04190d9-4acb-449a-9a7f-f1bf6be1ed23 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8062, you might also want to check these: