Home > Vulnerability Database > CVE-2025-6544

Mend.io Vulnerability Database

CVE-2025-6544

Good to know:

Date: September 21, 2025

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

Severity Score

9.8

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-6544

Url: https://github.com/h2oai/h2o-3

Url: https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40

Url: https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25

Url: https://www.mend.io/vulnerability-database/CVE-2025-6544

Severity Score

9.8

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

Upgrade Version

Upgrade to version h2o - 3.46.0.8;ai.h2o:h2o-core:3.46.0.8

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-6544

Good to know:

Date: September 21, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?