CVE-2024-8062
Published: 20 March 2025
Summary
CVE-2024-8062 is a high-severity Synchronous Access of Remote Resource without Timeout (CWE-1088) vulnerability in H2O H2O. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements denial-of-service protections to mitigate resource exhaustion from vulnerable endpoints performing untimed outbound HEAD requests to attacker-controlled servers.
Protects system resources such as threads and connections from unauthorized depletion caused by hanging network requests triggered by the typeahead endpoint.
Mandates configuration settings for HTTP clients, including timeouts on outbound requests, to prevent indefinite blocking and unresponsiveness from the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the typeahead endpoint allows denial of service via exploitation, as attackers can trigger blocking HEAD requests without timeout to an attacker-controlled hanging server, exhausting application resources and rendering it unresponsive.
NVD Description
A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a `HEAD` request to verify the existence of a specified resource without setting a timeout. An attacker can exploit this by…
more
sending multiple requests to an attacker-controlled server that hangs, causing the application to block and become unresponsive to other requests.
Deeper analysisAI
CVE-2024-8062 is a denial-of-service vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0. The endpoint performs a HEAD request to verify the existence of a specified resource without setting a timeout, allowing resource exhaustion when the request hangs.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). An attacker sends multiple requests specifying an attacker-controlled server that hangs on the HEAD request, causing the application to block and become unresponsive to other requests. This leads to a denial of service with high availability impact, mapped to CWE-1088.
Mitigation details are available in the advisory published on Huntr.dev at https://huntr.com/bounties/a04190d9-4acb-449a-9a7f-f1bf6be1ed23. The CVE was published on 2025-03-20.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- H2O-3 is an open-source distributed machine learning platform with a web interface (including typeahead endpoint), categorized under Other Platforms as it is a full ML platform not fitting narrower categories like frameworks or libraries.