Browse all 10 CVE security advisories affecting h2o. AI-powered Chinese analysis, POCs, and references for each vulnerability.
H2o serves as an open-source machine learning platform primarily used for training and deploying predictive models. Historically, it has been susceptible to remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from improper input validation and insecure deserialization. The platform's Java-based architecture and web interface have contributed to these security issues. While no major public security incidents have been widely reported, the 10 documented CVEs highlight consistent security challenges, particularly in authentication and data handling components. Organizations implementing H2o should prioritize regular updates and input sanitization to mitigate these recurring risks.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2024-45403 | H2O assertion failure when HTTP/3 requests are cancelled — h2oCWE-617 | 3.7 | Low | 2024-10-11 |
| CVE-2024-45397 | H2O alllows bypassing address-based access control with 0-RTT — h2oCWE-284 | 5.9 | Medium | 2024-10-11 |
| CVE-2024-25622 | H2O ignores headers configuration directives — h2oCWE-670 | 3.1 | Low | 2024-10-11 |
| CVE-2023-50247 | h2o QUIC state exhaustion DoS — h2oCWE-770 | 3.7 | Low | 2023-12-12 |
| CVE-2023-41337 | h2o vulnerable to TLS session resumption misdirection — h2oCWE-347 | 6.1 | Medium | 2023-12-12 |
| CVE-2023-30847 | H2O vulnerable to read from uninitialized pointer in the reverse proxy handler — h2oCWE-824 | 8.2 | High | 2023-04-27 |
| CVE-2021-43848 | Unititialized memory access in h2o — h2oCWE-908 | 7.4 | High | 2022-02-01 |
This page lists every published CVE security advisory associated with h2o. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.