We use cookies to improve your experience on our site.
AVID-2026-R1604
Description
Denial of Service in h2oai/h2o-3 (CVE-2024-7768)
Details
A vulnerability in the /3/ImportFiles endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, path, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.
Reason for inclusion in AVID: The CVE describes a denial-of-service vulnerability in h2oai/h2o-3, a machine learning framework/library. It is a software vulnerability in a component used to build/deploy AI systems, with impact on availability in AI tooling and pipelines. This is within the software supply chain for general-purpose AI, since H2O-3 is commonly used in ML workflows. The report provides concrete details (endpoint, parameter abuse, CVSS, CWE) sufficient for evaluation.
References
Affected or Relevant Artifacts
- Developer: h2oai
- Deployer: h2oai
- Artifact Details:
| Type | Name |
|---|---|
| System | h2oai/h2o-3 |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Base Score | 7.5 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-770 | CWE-770 Allocation of Resources Without Limits or Throttling |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry