CVE Tools
Sign in

CVE-2024-25622

H2O ignores headers configuration directives

Published: Oct 11, 2024Updated: Nov 12, 2024 Sources: CVE List NVDCWE-670
NVD MITRE
3.1CVSSLOW
EPSS Score
0.4%
Top 65.9%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes (e.g., path level) are expected to inherit the configuration defined in outer scopes (e.g., global level). However, if a header directive is used in the inner scope, all the definition in outer scopes are ignored. This can lead to headers not being modified as expected. Depending on the headers being added or removed unexpectedly, this behavior could lead to unexpected client behavior. This vulnerability is fixed in commit 123f5e2b65dcdba8f7ef659a00d24bd1249141be.

CVSS Vector Breakdown

AV:NAC:HPR:NUI:RS:UC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:HAttack Complexity
High
PR:NPrivileges Required
None
UI:RUser Interaction
Required
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-670

Affected Products

h2oh2o
On-prem
Networking Infrastructure / load-balancer-proxy
h2odena
SaaS
Cloud & SaaS
h2ooss-projectNetworking Infrastructureaka h2o web server, h2o, picotls, quicly
denacommercialCloud & SaaSaka dena inc

Exploitability

Official Patch Available

References

https://github.com/h2o/h2o/security/advisories/GHSA-5m7v-cj65-h6pj
github.com
https://github.com/h2o/h2o/issues/3332
github.com
https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be
github.com

Timeline

Published
Oct 11, 2024
Last Updated
Nov 12, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-25622 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows