Introduction
Remote attackers can execute arbitrary code on H2O-3 clusters by exploiting a critical deserialization flaw in the REST API. Any organization using H2O-3 for machine learning workflows and exposing the ImportSQLTable endpoint is at risk until patched.
About H2O.ai and H2O-3: H2O.ai is a prominent open-source and enterprise AI/ML platform vendor. H2O-3 is its widely used distributed machine learning platform, deployed in financial services, healthcare, and many Fortune 500 companies. The platform's REST API enables integration with diverse data sources and automation pipelines, making its security posture highly significant for the broader AI/ML ecosystem.
Technical Information
CVE-2025-5662 is a deserialization vulnerability in the H2O-3 REST API endpoint POST /99/ImportSQLTable. The endpoint is designed to import SQL table data into H2O-3 clusters using JDBC connection parameters provided by the user. In all versions up to 3.46.0.7, H2O-3 fails to properly validate or sanitize these JDBC parameters when they are supplied in key-value format.
The vulnerability arises because the application passes user-controlled JDBC parameters directly to Java deserialization routines. An attacker can craft a malicious JDBC URL containing a serialized Java object (a gadget chain) that, when deserialized by the vulnerable endpoint, results in arbitrary code execution within the H2O-3 process. This attack does not require authentication and can be performed remotely over the network.
The issue is particularly relevant when H2O-3 is used with MySQL JDBC Driver version 8.0.19 and JDK version 8u112, as these versions facilitate the exploitation path. However, the underlying unsafe deserialization pattern may be present with other JDBC drivers or Java versions as well.
This vulnerability is closely related to previously reported deserialization issues in H2O-3, such as CVE-2025-6507 and CVE-2024-10553, which also involve REST API endpoints processing untrusted serialized data. The root cause in all cases is insufficient input validation and unsafe use of Java deserialization on user-supplied input.
Affected Systems and Versions
- H2O-3 machine learning platform
- All versions up to and including 3.46.0.7
- Vulnerable when using MySQL JDBC Driver 8.0.19 and JDK 8u112
- The vulnerability is present in the POST /99/ImportSQLTable REST API endpoint
- Fixed in version 3.46.0.8
Vendor Security History
H2O.ai has addressed multiple deserialization vulnerabilities in H2O-3 in recent years. Notably:
- CVE-2025-6507: Critical RCE in JDBC connection handling, patched in 3.46.0.8 (source)
- CVE-2024-10553: Deserialization flaw in ImportSQLTable and SaveToHiveTable endpoints (source)
H2O.ai typically issues patches promptly after disclosure, but the recurrence of similar flaws indicates ongoing architectural challenges with input validation and deserialization safety.