Detections
Analytics

CVE-2025-0782

critical

Description

A vulnerability in the S3 bucket configuration for h2oai/h2o-3 allows public write access to the 'h2o-release' bucket. This issue affects all versions and could enable an attacker to overwrite any file in the bucket. As users download binary files such as JARs from this bucket, this vulnerability could lead to remote code execution (RCE) on any user who uses the application. Additionally, an attacker could modify the documentation to include malicious download links.

References

https://huntr.com/bounties/4587cec7-8bc5-48ab-8614-105d41c99151

https://github.com/h2oai/h2o-3/commit/6740655b70cef40ec67d952bee2d23f7d33c7419

Details

Source: Mitre, NVD

Published: 2025-05-02

Updated: 2025-05-02

Risk Information

CVSS v2

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Severity: Critical

EPSS

EPSS: 0.00111