CVE-2024-8062
Published: 20 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2024-8062 is a denial-of-service vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0. The endpoint performs a HEAD request to verify the existence of a specified resource without setting a timeout, allowing resource exhaustion when the request hangs.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). An attacker sends multiple requests specifying an attacker-controlled server that hangs on the HEAD request, causing the application to block and become unresponsive to other requests. This leads to a denial of service with high availability impact, mapped to CWE-1088.
Mitigation details are available in the advisory published on Huntr.dev at https://huntr.com/bounties/a04190d9-4acb-449a-9a7f-f1bf6be1ed23. The CVE was published on 2025-03-20.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- H2O-3 is an open-source distributed machine learning platform with a web interface (including typeahead endpoint), categorized under Other Platforms as it is a full ML platform not fitting narrower categories like frameworks or libraries.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in the typeahead endpoint allows denial of service via exploitation, as attackers can trigger blocking HEAD requests without timeout to an attacker-controlled hanging server, exhausting application resources and rendering it unresponsive.