VYPR
Critical severity9.8NVD Advisory· Published Sep 1, 2025· Updated Apr 15, 2026

CVE-2025-6507

CVE-2025-6507

Description

A vulnerability in the h2oai/h2o-3 repository allows attackers to exploit deserialization of untrusted data, potentially leading to arbitrary code execution and reading of system files. This issue affects the latest master branch version 3.47.0.99999. The vulnerability arises from the ability to bypass regular expression filters intended to prevent malicious parameter injection in JDBC connections. Attackers can manipulate spaces between parameters to evade detection, allowing for unauthorized file access and code execution. The vulnerability is addressed in version 3.46.0.8.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • H2oai/H2o 3references2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=3.47.0.99999

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.