CVE-2024-5979: h2o vulnerable to unexpected POST request shutting down server

June 27, 2024 (updated June 28, 2024)

In h2oai/h2o-3 version 3.46.0, the run_tool command in the rapids component allows the main function of any class under the water.tools namespace to be called. One such class, MojoConvertTool, crashes the server when invoked with an invalid argument, causing a denial of service.

References

github.com/advisories/GHSA-58m3-rcvp-f9ww
github.com/h2oai/h2o-3
huntr.com/bounties/d80a2139-fc03-44b7-b739-de41e323b458
nvd.nist.gov/vuln/detail/CVE-2024-5979

Code Behaviors & Features

Detect and mitigate CVE-2024-5979 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →