How severe are CVE-2025-6544 and CVE-2025-6507?

Both CVE-2025-6544 and CVE-2025-6507 have a CVSS score of 9.8 (Critical). They can be exploited remotely without authentication or privileges, allowing full remote code execution on vulnerable H2O-3 servers.

Does this affect other H2O products?

These vulnerabilities specifically impact the open-source H2O-3 repository. Users should refer to official h2o.ai advisories to determine whether enterprise or commercial H2O offerings are affected.

Which versions are affected?

CVE-2025-6544 affects H2O-3 versions up to 3.46.0.8, while CVE-2025-6507 impacts versions up to 3.46.0.7 and some early master builds before mitigations were applied.

CVE-2025-6544 & CVE-2025-6507 in H2O-3 | Deserialization & MySQL JDBC Bypass Explained

Q: What is CVE-2025-6544?

CVE-2025-6544 is a critical deserialization vulnerability in H2O-3’s JDBC parameter processing logic. It allows unauthenticated attackers to bypass security checks using double URL encoding, leading to arbitrary file reads and remote code execution.

Q: What is CVE-2025-6507?

CVE-2025-6507 is a related critical vulnerability in H2O-3 where attackers manipulate spaces in JDBC connection parameters to bypass regex filters. This results in unsafe deserialization, enabling arbitrary file access and remote code execution.

Introduction

H2O-3 is a popular open-source machine learning platform developed by h2o.ai, widely used for building and deploying AI models at scale. Recently, two critical deserialization vulnerabilities CVE-2025-6544 and CVE-2025-6507 were disclosed in H2O-3, both stemming from insecure handling of JDBC connection parameters. These flaws allow unauthenticated attackers to achieve remote code execution (RCE) and arbitrary file reads. Notably, CVE-2025-6544 represents a bypass of the mitigation introduced for CVE-2025-6507, highlighting ongoing challenges in securing JDBC integrations.

Key Discoveries in This Blog Post

Detailed breakdown of how insecure JDBC parameter handling leads to deserialization of untrusted data

Explanation of bypass techniques: space manipulation in CVE-2025-6507 and double URL encoding in CVE-2025-6544

Real-world exploitation risks in machine learning environments

Official fixes and temporary mitigations

What Is CVE-2025-6544?

CVE-2025-6544: Another critical deserialization vulnerability (CVSS 9.8) in H2O-3 versions <= 3.46.0.8. This is a bypass of the fix for CVE-2025-6507 (and related earlier issues), achieved through double URL encoding to evade updated regex checks.

What is CVE-2025-6507?

CVE-2025-6507: A critical deserialization vulnerability (CVSS 9.8) in H2O-3 versions <= 3.46.0.7 (and some later builds). It allows unauthenticated attackers to bypass regular expression filters by manipulating spaces in JDBC parameters, leading to arbitrary file reads and RCE.

Both vulnerabilities affect the JDBC connection processing logic, particularly in endpoints handling database imports (e.g., /99/ImportSQLTable).

The root cause is deserialization of untrusted data (CWE-502) without sufficient validation.

How these Vulnerability Works (CVE-2025-6544 & CVE-2025-6507)

The vulnerabilities occur when H2O-3 processes user-supplied JDBC connection strings for importing data from external databases, such as MySQL. Attackers can inject malicious parameters into the JDBC URL or connection properties.

For CVE-2025-6507, attackers bypass regex filters by inserting spaces between malicious parameter segments, allowing dangerous deserialization gadgets to execute.

For CVE-2025-6544, the bypass uses double URL encoding (e.g., %2520 for encoded spaces or characters) to evade strengthened filters introduced in the previous patch.

Once bypassed, the application deserializes attacker-controlled data, potentially triggering gadgets (e.g., via common libraries) that enable:

Arbitrary file reading (e.g., /etc/passwd or sensitive model data)

Remote code execution on the server

Public proof-of-concept details exist, though active exploitation in the wild has not been widely reported yet.

Fixes, Mitigations, and How It Was Resolved

The issues were resolved in H2O-3 versions > 3.46.0.8.

Specific fixes include:

Improved validation and filtering of JDBC parameters

Commit for CVE-2025-6507 mitigation: https://github.com/h2oai/h2o-3/commit/f714edd6b8429c7a7211b779b6ec108a95b7382d

Additional commit addressing CVE-2025-6544: https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25

Temporary Mitigation: Restrict network access to the H2O-3 service port (default 54321) to trusted sources only, as this does not impact core functionality but blocks remote exploitation.

Users should upgrade immediately via: https://github.com/h2oai/h2o-3/tags

Real-World Applications and Impact

Compromise of production ML platforms hosting sensitive training data

Data exfiltration from connected databases or server files

Full server takeover, enabling persistence or lateral movement in enterprise environments

Disruption of AI/ML pipelines in industries like finance, healthcare, and autonomous systems

High risk for publicly exposed H2O-3 instances

Common Challenges and Pitfalls

For CVE-2025-6507
Critical vulnerability (CVSS score 9.8) fin H2O-3 (an open-source machine learning platform) allows unauthenticated remote attackers to bypass security filters by manipulating spaces in JDBC connection parameters. It requires low attack complexity, no privileges, and can be triggered with a single HTTP request, enabling arbitrary code execution (RCE) and unauthorized access to sensitive system files.

For CVE-2025-6544
Critical deserialization flaw (CVSS score 9.8) in H2O-3 is a bypass of the previous fix in CVE-2025-6507. Unauthenticated remote attackers can exploit improper handling of JDBC connection parameters by using double URL encoding to evade regular expression checks, enabling arbitrary code execution (RCE) and reading of arbitrary system files with low attack complexity and no privileges required.

Best Practices and Tips

Always upgrade to the latest version of H2O-3 and monitor for security releases.
Implement strict input validation using allowlists rather than blocklists or regex alone.
Avoid deserializing untrusted data; prefer safer alternatives like JSON or protobuf.
Apply network segmentation and firewall rules to limit access to service ports.
Regularly scan dependencies with tools like OWASP Dependency-Check.
Conduct penetration testing on data import features and external integrations.

Future Trends and Conclusion

As machine learning platforms like H2O-3 become more integrated with external data sources, vulnerabilities in connection handlers will remain a prime target. The repeated bypasses seen here underscore the need for defense-in-depth approaches beyond simple filtering. Security starts with integrity even in your database connections.

FAQ

What is CVE-2025-6544?
A deserialization vulnerability in H2O-3’s JDBC parameter processing that allows arbitrary code execution and file reads.

What is CVE-2025-6507?
A related vulnerability where attackers bypass regex filters to enable unsafe deserialization in JDBC connections.

How severe are CVE-2025-6544 and CVE-2025-6507?
Both are rated CVSS 9.8 (Critical), allowing unauthenticated RCE.

Does this affect other H2O products?
These CVEs specifically impact the open-source H2O-3 repository; check h2o.ai for enterprise product status.

Which versions are affected?
All H2O-3 versions up to 3.46.0.8 (CVE-2025-6544) and early master builds prior to mitigation (CVE-2025-6507).

CVE-2025-6544 & CVE-2025-6507 - Deserialization Vulnerabilities and MySQL JDBC Bypass in H2O-3 Explained