CVE-2023-6569: External Control of File Name or Path in h2oai/h2o-3

December 14, 2023 (updated April 15, 2026)

Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with “C1”, if they’re exporting as CSV.

References

github.com/advisories/GHSA-gqrq-j6pm-98c2
github.com/h2oai/h2o-3
github.com/h2oai/h2o-3/commit/e8884f5187eb81311877c5f0dd4d6d9c70f33d78
huntr.com/bounties/a5d003dc-c23e-4c98-8dcf-35ba9252fa3c
nvd.nist.gov/vuln/detail/CVE-2023-6569

Code Behaviors & Features

Detect and mitigate CVE-2023-6569 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →