Submit #649728: h2oai h2o-3 <=v3.46.08 Deserializationinfo

Title	h2oai h2o-3 <=v3.46.08 Deserialization
Description	In H2O-3, the blacklist-based filtering of JDBC parameters is incomplete, which allows attackers to exploit H2 JDBC deserialization. This attack remains viable in the latest version.
Source	⚠️ https://github.com/ez-lbz/poc/issues/51
User	ez-lbz (UID 87033)
Submission	09/07/2025 03:05 (9 months ago)
Moderation	09/21/2025 10:16 (14 days later)
Status	Accepted
VulDB entry	325125 [h2oai h2o-3 up to 3.46.08 H2 JDBC Driver /99/ImportSQLTable connection_url deserialization]
Points	15

Want to know what is going to be exploited?

We predict KEV entries!