CVE-2024-8062: H2O Vulnerable to Denial of Service (DoS) via `HEAD` Request

March 20, 2025

A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a HEAD request to verify the existence of a specified resource without setting a timeout. An attacker can exploit this by sending multiple requests to an attacker-controlled server that hangs, causing the application to block and become unresponsive to other requests.

References

github.com/advisories/GHSA-5c8j-g96x-cj78
github.com/h2oai/h2o-3
github.com/h2oai/h2o-3/blob/047a4d617240a56e74f834207c65973d133391cb/h2o-core/src/main/java/water/persist/PersistManager.java
huntr.com/bounties/a04190d9-4acb-449a-9a7f-f1bf6be1ed23
nvd.nist.gov/vuln/detail/CVE-2024-8062

Code Behaviors & Features

Detect and mitigate CVE-2024-8062 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →