Arbitrary File Overwrite in h2oai/h2o-3
Description
In h2oai/h2o-3 version 3.46.0, the /99/Models/{name}/json endpoint allows for arbitrary file overwrite on the target server. The vulnerability arises from the exportModelDetails function in ModelsHandler.java, where the user-controllable mexport.dir parameter is used to specify the file path for writing model details. This can lead to overwriting files at arbitrary locations on the host system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
H2O-3 3.46.0's /99/Models/{name}/json endpoint allows arbitrary file overwrite via the `mexport.dir` parameter, enabling path traversal.
Vulnerability
In h2oai/h2o-3 version 3.46.0, the /99/Models/{name}/json endpoint is vulnerable to arbitrary file overwrite on the target server. The root cause lies in the exportModelDetails function within ModelsHandler.java, where the user-controllable mexport.dir parameter is directly used to specify the file path for writing model details without proper sanitization [1][2]. This flaw allows an attacker to control the destination path, leading to path traversal.
Exploitation
An attacker can exploit this vulnerability by crafting a request to the /99/Models/{name}/json endpoint with a malicious mexport.dir parameter. The parameter accepts arbitrary file paths, including those with directory traversal sequences like ../, enabling the attacker to write model details to any location on the host filesystem where the H2O process has write permissions [2][4]. No authentication is required if the H2O-3 instance is exposed without proper access controls.
Impact
Successful exploitation allows an attacker to overwrite arbitrary files on the server. This could lead to denial of service by corrupting critical system files, privilege escalation if configuration files (e.g., SSH keys, application configs) are overwritten, or remote code execution if executable files are replaced [2][4]. The vulnerability is classified with a high severity due to the low complexity and potential for significant system compromise.
Mitigation
As of the publication date, no patch is available for this vulnerability in the H2O-3 3.46.0 release. Users are advised to restrict network access to the H2O-3 API endpoints, implement authentication, or monitor for any official security updates from the vendor [2]. The vulnerability has been reported through the Huntr bug bounty platform, and users should track the H2O-3 GitHub repository for future fixes [1][4].
- GitHub - h2oai/h2o-3: H2O is an Open Source, Distributed, Fast & Scalable Machine Learning Platform: Deep Learning, Gradient Boosting (GBM) & XGBoost, Random Forest, Generalized Linear Modeling (GLM with Elastic Net), K-Means, PCA, Generalized Additive Models (GAM), RuleFit, Support Vector Machine (SVM), Stacked Ensembles, Automatic Machine Learning (AutoML), etc.
- NVD - CVE-2024-8616
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
h2oPyPI | >= 3.10.4.1, <= 3.46.0 | — |
ai.h2o:h2o-coreMaven | >= 3.10.4.1, <= 3.46.0 | — |
Affected products
4- ghsa-coords2 versions
>= 3.10.4.1, <= 3.46.0+ 1 more
- (no CPE)range: >= 3.10.4.1, <= 3.46.0
- (no CPE)range: >= 3.10.4.1, <= 3.46.0
- h2oai/h2oai/h2o-3v5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.