Cyber Resilience

CVE-2024-8062

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
26 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0025 48.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8062 is a high-severity Synchronous Access of Remote Resource without Timeout (CWE-1088) vulnerability in H2O H2O. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 48.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2024-8062 is a denial-of-service vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0. The endpoint performs a HEAD request to verify the existence of a specified resource without setting a timeout, allowing resource exhaustion when the request hangs.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). An attacker sends multiple requests specifying an attacker-controlled server that hangs on the HEAD request, causing the application to block and become unresponsive to other requests. This leads to a denial of service with high availability impact, mapped to CWE-1088.

Mitigation details are available in the advisory published on Huntr.dev at https://huntr.com/bounties/a04190d9-4acb-449a-9a7f-f1bf6be1ed23. The CVE was published on 2025-03-20.

EU & UK References

Vulnerability details

A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a `HEAD` request to verify the existence of a specified resource without setting a timeout. An attacker can exploit this by…

more

sending multiple requests to an attacker-controlled server that hangs, causing the application to block and become unresponsive to other requests.

CWE(s)

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: h2o

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability in the typeahead endpoint allows denial of service via exploitation, as attackers can trigger blocking HEAD requests without timeout to an attacker-controlled hanging server, exhausting application resources and rendering it unresponsive.

CVEs Like This One

CVE-2024-7765Same product: H2O H2O
CVE-2026-8751Same product: H2O H2O
CVE-2026-3960Same product: H2O H2O
CVE-2025-61684Same vendor: H2O

Affected Assets

h2o
h2o
3.46.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections to mitigate resource exhaustion from vulnerable endpoints performing untimed outbound HEAD requests to attacker-controlled servers.

prevent

Protects system resources such as threads and connections from unauthorized depletion caused by hanging network requests triggered by the typeahead endpoint.

prevent

Mandates configuration settings for HTTP clients, including timeouts on outbound requests, to prevent indefinite blocking and unresponsiveness from the vulnerable endpoint.

References