CVE-2024-7765
Published: 20 March 2025
Summary
CVE-2024-7765 is a high-severity Data Amplification (CWE-409) vulnerability in H2O H2O. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Data-Related Vulnerabilities risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2024-7765 affects h2oai/h2o-3 version 3.46.0.2 and involves a denial-of-service vulnerability triggered by uploading and repeatedly parsing a large GZIP file. This improper handling of highly compressed data causes significant data amplification, leading to memory exhaustion and a surge in concurrent slow-running jobs that render the server unresponsive. The issue is classified under CWE-409 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Unauthenticated remote attackers can exploit this vulnerability with low complexity over the network. By supplying a malicious large GZIP file for repeated parsing, they trigger excessive resource consumption, resulting in denial of service through server unresponsiveness.
Mitigation details are available in the referenced advisory at https://huntr.com/bounties/0e58b1a5-bdca-4e60-af92-09de9c76a9ff.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6953
Vulnerability details
In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion and a large number of concurrent slow-running jobs. This issue…
more
arises from the improper handling of highly compressed data, leading to significant data amplification.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: h2o
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of the application to trigger resource exhaustion and denial of service via malicious compressed file input.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements denial-of-service protections to prevent memory exhaustion and server unresponsiveness from malicious large GZIP file uploads and parsing.
Protects resource availability by enforcing allocation mechanisms that mitigate data amplification leading to memory exhaustion from highly compressed GZIP files.
Validates uploaded information inputs like GZIP files to block improper handling and prevent resource exhaustion from data amplification during repeated parsing.