Cyber Resilience

CVE-2024-7765

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0041 61.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7765 is a high-severity Data Amplification (CWE-409) vulnerability in H2O H2O. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Data-Related Vulnerabilities risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2024-7765 affects h2oai/h2o-3 version 3.46.0.2 and involves a denial-of-service vulnerability triggered by uploading and repeatedly parsing a large GZIP file. This improper handling of highly compressed data causes significant data amplification, leading to memory exhaustion and a surge in concurrent slow-running jobs that render the server unresponsive. The issue is classified under CWE-409 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Unauthenticated remote attackers can exploit this vulnerability with low complexity over the network. By supplying a malicious large GZIP file for repeated parsing, they trigger excessive resource consumption, resulting in denial of service through server unresponsiveness.

Mitigation details are available in the referenced advisory at https://huntr.com/bounties/0e58b1a5-bdca-4e60-af92-09de9c76a9ff.

EU & UK References

Vulnerability details

In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion and a large number of concurrent slow-running jobs. This issue…

more

arises from the improper handling of highly compressed data, leading to significant data amplification.

CWE(s)

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: h2o

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables remote exploitation of the application to trigger resource exhaustion and denial of service via malicious compressed file input.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-8062Same product: H2O H2O
CVE-2026-3960Same product: H2O H2O
CVE-2026-8751Same product: H2O H2O
CVE-2025-61684Same vendor: H2O
CVE-2026-22776Shared CWE-409
CVE-2026-43970Shared CWE-409
CVE-2026-1526Shared CWE-409
CVE-2026-22870Shared CWE-409
CVE-2026-21441Shared CWE-409
CVE-2026-28435Shared CWE-409

Affected Assets

h2o
h2o
3.46.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections to prevent memory exhaustion and server unresponsiveness from malicious large GZIP file uploads and parsing.

prevent

Protects resource availability by enforcing allocation mechanisms that mitigate data amplification leading to memory exhaustion from highly compressed GZIP files.

prevent

Validates uploaded information inputs like GZIP files to block improper handling and prevent resource exhaustion from data amplification during repeated parsing.

References