7.5

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-7768

GHSA ID

GHSA-p2vc-m5fv-9w9m

EPSS Score

0.35596%

CWE

CWE-400

Published

3/20/2025

Updated

3/20/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-7768

CVE-2024-7768: H2O Vulnerable to Denial of Service (DoS) via `/3/ImportFiles` Endpoint

A vulnerability in the /3/ImportFiles endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, path, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-7768

CVE-2024-7768:

7.5

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-7768

GHSA ID

GHSA-p2vc-m5fv-9w9m

EPSS Score

0.35596%

CWE

CWE-400

Published

3/20/2025

Updated

3/20/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
h2o	pip
ai.h2o:h2o-core	maven

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the handling of the 'path' parameter in the /3/ImportFiles endpoint. The ImportFilesHandler.importFiles method is directly responsible for processing this parameter and initiating file imports. By not validating that the provided path doesn't reference the vulnerable endpoint itself, it allows recursive calls that exhaust server resources. The code structure shown in the provided Java file confirms the lack of safeguards around path validation before processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-7768: H2O Vulnerable to Denial of Service (DoS) via `/3/ImportFiles` Endpoint

CVE-2024-7768:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2024-7768: H2O Vulnerable to Denial of Service (DoS) via `/3/ImportFiles` Endpoint

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI