CVE-2025-6544 Overview
CVE-2025-6544 is an insecure deserialization vulnerability affecting h2oai/h2o-3 versions <= 3.46.0.8. The flaw resides in the handling of Java Database Connectivity (JDBC) connection parameters. Attackers bypass regular expression validation using double URL encoding, then inject malicious JDBC parameters that trigger unsafe deserialization. Successful exploitation allows unauthenticated attackers to read arbitrary system files and execute arbitrary code on affected H2O machine learning servers. The issue is categorized under CWE-502: Deserialization of Untrusted Data.
Critical Impact
Unauthenticated network attackers can achieve full remote code execution and arbitrary file read on H2O-3 servers running version 3.46.0.8 or earlier.
Affected Products
- h2oai/h2o-3 versions <= 3.46.0.8
- H2O machine learning platform deployments exposing the REST API
- Any application embedding the vulnerable h2o-3 JDBC import functionality
Discovery Timeline
- 2025-09-21 - CVE-2025-6544 published to the National Vulnerability Database (NVD)
- 2025-10-08 - Last updated in NVD database
Technical Details for CVE-2025-6544
Vulnerability Analysis
The vulnerability stems from improper validation of JDBC connection strings within h2oai/h2o-3. H2O accepts JDBC URLs to import data from external databases. The application applies a regular expression filter intended to block dangerous JDBC driver parameters that enable deserialization gadgets. Attackers defeat this filter by applying double URL encoding to malicious parameter names and values. The decoded payload reaches the underlying JDBC driver, which deserializes attacker-controlled data. This produces arbitrary file disclosure or remote code execution depending on the gadget chain selected. The exploitation requires no authentication and no user interaction.
Root Cause
The root cause is reliance on regular expression denylisting for JDBC parameter validation without canonicalizing input before the check. Because the validator inspects the once-decoded form while the consumer decodes the value twice, dangerous parameters slip through. Unsafe deserialization of untrusted data [CWE-502] then occurs when the JDBC driver processes the smuggled parameters.
Attack Vector
The attack vector is network-based against the H2O-3 REST API. An attacker submits a crafted import request containing a JDBC URL with double URL-encoded parameters. The vulnerable parser normalizes the input after validation and forwards the malicious connection string to the JDBC layer. Driver-specific deserialization sinks then execute attacker-supplied serialized objects in the H2O process context. Refer to the Huntr bounty disclosure and the upstream commit fixing the issue for protocol-level technical details.
Detection Methods for CVE-2025-6544
Indicators of Compromise
- HTTP requests to H2O-3 import endpoints (for example /3/ImportSQLTable or /99/ImportSQLTable) containing JDBC URLs with %25 sequences indicating double URL encoding.
- Outbound JDBC driver connections from the H2O process to attacker-controlled hosts or to file:// and ldap:// style URIs.
- Unexpected child processes spawned by the H2O Java Virtual Machine (JVM), such as /bin/sh, bash, or powershell.exe.
- New or modified files in the H2O working directory shortly after an import API call.
Detection Strategies
- Inspect web server and reverse proxy logs for POST requests to H2O import endpoints carrying JDBC parameters such as autoDeserialize, queryInterceptors, or statementInterceptors in any encoded form.
- Flag any request body or query string containing repeated percent-encoding sequences (%25xx) targeted at H2O-3 endpoints.
- Correlate JVM process telemetry with network egress to identify the H2O process initiating outbound connections to non-database destinations.
- Hunt for Java deserialization stack traces in H2O server logs referencing classes like ObjectInputStream.readObject.
Monitoring Recommendations
- Enable verbose access logging on the H2O REST API and forward logs to a centralized analytics platform for retention and queryability.
- Baseline expected JDBC destinations and alert when the H2O service contacts new external hosts.
- Monitor for unexpected file reads of sensitive paths such as /etc/passwd, /etc/shadow, or cloud metadata endpoints originating from the H2O service account.
How to Mitigate CVE-2025-6544
Immediate Actions Required
- Upgrade h2oai/h2o-3 to a version newer than 3.46.0.8 that includes commit 0298ee3.
- Restrict network access to H2O-3 REST API ports so only trusted internal clients can reach the service.
- Run the H2O process under a dedicated low-privilege account to limit the impact of successful code execution.
- Audit recent API access logs for double-encoded JDBC parameters and treat any matches as suspected compromise.
Patch Information
The maintainers fixed the deserialization vector in commit 0298ee348f5c73673b7b542158081e79605f5f25. The patch hardens JDBC connection parameter validation so that double URL-encoded payloads cannot bypass the filter. Upgrading to the fixed release is the only complete remediation. Additional context is available in the Huntr bounty report.
Workarounds
- Disable or remove the JDBC import functionality if it is not required in your deployment.
- Place H2O-3 behind an authenticating reverse proxy or VPN to block unauthenticated network access.
- Deploy a web application firewall rule that rejects requests to H2O import endpoints containing %25 sequences in JDBC parameter values.
- Remove vulnerable JDBC drivers known to expose deserialization sinks from the H2O classpath where feasible.
# Example WAF rule (ModSecurity) to block double-encoded JDBC payloads to H2O
SecRule REQUEST_URI "@beginsWith /3/ImportSQLTable" \
"chain,id:1006544,phase:2,deny,log,msg:'CVE-2025-6544 double-encoded JDBC param'"
SecRule ARGS "@rx %25[0-9a-fA-F]{2}" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
