CVE-2024-10549

A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple simultaneous requests, an attacker can exhaust all available threads, leading to a complete denial of service.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/ce7bd2d6-fd38-440d-a91a-dd8f3fc06bc2	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:h2o:h2o:3.46.0.1:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-10549

Mitre link : CVE-2024-10549

CVE.ORG link : CVE-2024-10549

JSON object : View

Products Affected

h2o

CWE

CWE-1333

Inefficient Regular Expression Complexity

7.5 /10