Arbitrary File Overwrite in h2oai/h2o-3
Description
In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a trained model file, although the content of the overwrite is not controllable by the attacker.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
H2O-3 3.46.0 lacks path validation on its model export endpoint, allowing an attacker to overwrite arbitrary server files via a trained model file.
Vulnerability
Description
The H2O-3 machine learning platform, version 3.46.0, contains a vulnerability in its model export endpoint. The endpoint does not restrict or validate the file path provided by the user, allowing an attacker to specify an arbitrary path on the server's filesystem [1][2]. This means that when exporting a model, the attacker can direct the output to any location, including system or application files, effectively overwriting them with the contents of a trained model [2].
Exploitation
Prerequisites
An attacker must have access to the model export functionality, which typically requires authentication or network access to the H2O-3 instance [2]. The attacker also needs to have a trained model available to export; however, the model's exact content is irrelevant because the overwrite payload is the model file itself [2][4]. No further user interaction or additional privileges are required after gaining access to the endpoint [2].
Impact
The impact is a denial of service or server compromise via file overwrite. By overwriting critical files (such as application configuration, binaries, or startup scripts) with a model file, an attacker can disrupt normal operations, cause the server to fail, or potentially gain further control depending on the context [2][4]. It is important to note that the content of the overwriting model file is not attacker-controlled beyond the model's own binary format, so precise targeted manipulation of file content is not possible [2][4].
Mitigation
As of the publication date (2025-03-20), the vulnerability is unpatched in the affected version [2][4]. Users should restrict network access to the H2O-3 model export endpoint, monitor for suspicious export requests, and consider implementing a reverse proxy with path validation as a workaround [4]. H2O.ai has not yet released a security update addressing this issue.
- GitHub - h2oai/h2o-3: H2O is an Open Source, Distributed, Fast & Scalable Machine Learning Platform: Deep Learning, Gradient Boosting (GBM) & XGBoost, Random Forest, Generalized Linear Modeling (GLM with Elastic Net), K-Means, PCA, Generalized Additive Models (GAM), RuleFit, Support Vector Machine (SVM), Stacked Ensembles, Automatic Machine Learning (AutoML), etc.
- NVD - CVE-2024-6854
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
h2oPyPI | >= 3.32.1.1, <= 3.46.0 | — |
ai.h2o:h2o-coreMaven | >= 3.32.1.1, <= 3.46.0 | — |
Affected products
4- ghsa-coords2 versions
>= 3.32.1.1, <= 3.46.0+ 1 more
- (no CPE)range: >= 3.32.1.1, <= 3.46.0
- (no CPE)range: >= 3.32.1.1, <= 3.46.0
- h2oai/h2oai/h2o-3v5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.