VYPR
Get started
← All advisories
Critical severity9.8OSV Advisory· Published Sep 2, 2025· Updated Apr 15, 2026

CVE-2025-5662

CVE-2025-5662

Description

A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present in the MySQL JDBC Driver version 8.0.19 and JDK version 8u112. The issue is resolved in version 3.46.0.8.

Affected products

1
  • H2oai/H2o 3OSV
    Range: RELEASE-0.1.14, RELEASE-0.1.17, RELEASE-0.1.4, …

Patches

1
f714edd6b842

GH-16622 Validate parameters also when user define jdbs with key-value (#16624)

https://github.com/h2oai/h2o-3Adam ValentaJun 18, 2025via osv
commit
2 files changed · +70 1
  • h2o-core/src/main/java/water/jdbc/SQLManager.java+1 1 modified
    @@ -42,7 +42,7 @@ public class SQLManager {
 
   private static final String DISALLOWED_JDBC_PARAMETERS_PARAM = H2O.OptArgs.SYSTEM_PROP_PREFIX + "sql.jdbc.disallowed.parameters";
 
-  private static final Pattern JDBC_PARAMETERS_REGEX_PATTERN = Pattern.compile("(?i)[?;&]([a-z]+)=");
+  private static final Pattern JDBC_PARAMETERS_REGEX_PATTERN = Pattern.compile("(?i)([a-z0-9_]+)\\s*=\\s*");
 
   private static final List<String> DEFAULT_JDBC_DISALLOWED_PARAMETERS = Stream.of(
           "autoDeserialize", "queryInterceptors", "allowLoadLocalInfile", "allowMultiQueries", //mysql
  • h2o-core/src/test/java/water/jdbc/SQLManagerTest.java+69 0 modified
    @@ -165,4 +165,73 @@ public void testValidateJdbcConnectionStringMysql() {
 
     SQLManager.validateJdbcUrl(mysqlMaliciousJdbc);
   }
+
+  @Test
+  public void testValidateJdbcConnectionStringMysqlKeyValuePairs() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("Potentially dangerous JDBC parameter found: autoDeserialize");
+
+    String jdbcConnection = "jdbc:mysql://(host=127.0.0.1,port=3308,autoDeserialize=true,queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor,user=deser_CUSTOM,maxAllowedPacket=655360)";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
+
+  @Test
+  public void testValidateJdbcConnectionStringMysqlKeyValuePairsSpace() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("Potentially dangerous JDBC parameter found: autoDeserialize");
+
+    String jdbcConnection = "jdbc:mysql://(host=127.0.0.1,port=3308, autoDeserialize  =  true,queryInterceptors = com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor,user=deser_CUSTOM,maxAllowedPacket=655360)";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
+
+  @Test
+  public void testValidateJdbcConnectionStringMysqlKeyValuePairsCAPITAL() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("Potentially dangerous JDBC parameter found: AUTODeserialize");
+
+    String jdbcConnection = "jdbc:mysql://(host=127.0.0.1,port=3308, AUTODeserialize  =  true,queryInterceptors = com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor,user=deser_CUSTOM,maxAllowedPacket=655360)";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }  
+
+  @Test
+  public void testValidateJdbcConnectionStringMysqlSpaceBetween() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("Potentially dangerous JDBC parameter found: allowLoadLocalInfile");
+
+    String jdbcConnection = "jdbc:mysql://127.0.0.1:3306/mydb?allowLoadLocalInfile  =  true&  autoDeserialize=true";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
+
+  @Test
+  public void testValidateJdbcConnectionStringMysqlCAPITAL() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("Potentially dangerous JDBC parameter found: AUTODESERIALIZE");
+
+    String jdbcConnection = "jdbc:mysql://127.0.0.1:3306/mydb?AUTODESERIALIZE  =  true&  allowLoadLocalInfile=true";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }  
+
+  @Test
+  public void testValidateJdbcConnectionStringMysqlOneParameter() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("Potentially dangerous JDBC parameter found: allowLoadLocalInfile");
+
+    String jdbcConnection = "jdbc:mysql://127.0.0.1:3306/mydb?allowLoadLocalInfile=true";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
+
+  /**
+   * Test fail if any exception is thrown therefore no assert
+   */
+  @Test
+  public void testValidateJdbcConnectionStringMysqlPass() {
+    String jdbcConnection = "jdbc:mysql://127.0.0.1:3306/mydb?allowedParameter=true";
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.