CVE-2025-10769 – This vulnerability in h2oai h2o-3 allows remote... (How to Fix)

Q: What is the severity of CVE-2025-10769?

CVE-2025-10769 has a CVSS score of 6.3 (MEDIUM). This vulnerability in h2oai h2o-3 allows remote attackers to execute arbitrary code through deserialization attacks via the H2 JDBC Driver's connection_url parameter. It affects all systems running h2o-3 versions up to 3.46.08 with the vulnerable component exposed. The exploit can be launched remotely without authentication.

📋 TL;DR

This vulnerability in h2oai h2o-3 allows remote attackers to execute arbitrary code through deserialization attacks via the H2 JDBC Driver's connection_url parameter. It affects all systems running h2o-3 versions up to 3.46.08 with the vulnerable component exposed. The exploit can be launched remotely without authentication.

💻 Affected Systems

Products:

h2oai h2o-3

Versions: Up to and including 3.46.08

Operating Systems: All platforms running h2o-3

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the H2 JDBC Driver component when processing connection_url parameters in /99/ImportSQLTable endpoint.

📦 What is this software?

H2o by H2o

View all CVEs affecting H2o →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution with attacker gaining the privileges of the h2o-3 process, potentially leading to data exfiltration or further attacks.

🟢

If Mitigated

Exploit blocked at network perimeter or through input validation, resulting in failed attack attempts.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit details have been publicly disclosed on GitHub and vulnerability databases. The vendor did not respond to disclosure attempts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - vendor did not respond

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to latest version if vendor releases fix, or implement workarounds.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to h2o-3 instances, especially the /99/ImportSQLTable endpoint

Input Validation

all

Implement strict validation and sanitization of connection_url parameters

🧯 If You Can't Patch

Isolate h2o-3 instances in restricted network segments with no internet access
Implement web application firewall (WAF) rules to block malicious connection_url patterns

🔍 How to Verify

Check if Vulnerable:

Check h2o-3 version: if version ≤ 3.46.08 and H2 JDBC Driver is enabled, system is vulnerable

Check Version:

Check h2o-3 documentation or configuration files for version information

Verify Fix Applied:

Verify version is > 3.46.08 or that workarounds are properly implemented

📡 Detection & Monitoring

Log Indicators:

Unusual connection attempts to /99/ImportSQLTable
Malformed or suspicious connection_url parameters in logs

Network Indicators:

HTTP requests to /99/ImportSQLTable with crafted connection_url parameters
Unexpected outbound connections from h2o-3 process

SIEM Query:

source="h2o-3" AND (uri="/99/ImportSQLTable" OR message CONTAINS "connection_url")

📊 Metadata

CVE ID: CVE-2025-10769

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-20

EPSS Score: 0.11% exploit probability (28.9th percentile)

Published: September 21, 2025

Last Updated: October 8, 2025

🔗 References

https://github.com/ez-lbz/poc/issues/51 Broken Link
https://github.com/ez-lbz/poc/issues/51#issue-3391023368 Broken Link
https://huntr.com/bounties/4066ce21-7148-44f5-8336-b1674c2f588d Exploit,Third Party Advisory
https://vuldb.com/?ctiid.325125 Permissions Required,VDB Entry
https://vuldb.com/?id.325125 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.649728 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.649793 Third Party Advisory,VDB Entry
https://github.com/ez-lbz/poc/issues/51 Broken Link
https://github.com/ez-lbz/poc/issues/51#issue-3391023368 Broken Link
https://huntr.com/bounties/4066ce21-7148-44f5-8336-b1674c2f588d Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10769, you might also want to check these: