CVE-2025-6544 is a critical deserialization vulnerability affecting h2oai/h2o-3 versions up to and including 3.46.0.8. The vulnerability stems from improper handling of JDBC connection parameters within the software, which allows attackers to bypass regular expression validation checks by leveraging double URL encoding techniques. This bypass enables the injection of malicious serialized data that the application deserializes without proper validation, leading to arbitrary code execution and unauthorized reading of system files. The root cause is classified under CWE-502, which concerns unsafe deserialization of untrusted data. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The CVSS v3.0 base score is 9.8, indicating a critical severity with high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant risk for all users running affected versions of h2oai/h2o-3, a popular open-source machine learning platform widely used for data analytics and AI model development.

For European organizations, the impact of this vulnerability is substantial. H2O.ai's platform is commonly used in sectors such as finance, healthcare, telecommunications, and manufacturing—industries that handle sensitive personal and business-critical data. Successful exploitation could lead to unauthorized disclosure of confidential data, including personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Additionally, arbitrary code execution could allow attackers to establish persistent footholds, disrupt AI model training and deployment pipelines, or pivot to other internal systems, potentially causing operational downtime and financial losses. Given the criticality and network-exploitability, organizations relying on h2oai/h2o-3 for AI workloads are at risk of severe compromise, data breaches, and service interruptions.

Immediate mitigation involves upgrading h2oai/h2o-3 to a version beyond 3.46.0.8 once a patched release is available. Until then, organizations should implement strict input validation and sanitization on JDBC connection parameters, specifically blocking double URL encoded payloads. Network-level controls such as web application firewalls (WAFs) should be configured to detect and block suspicious serialized data patterns and anomalous JDBC connection attempts. Employing runtime application self-protection (RASP) tools can help detect and prevent deserialization attacks in real-time. Additionally, restricting access to the h2o-3 management interfaces and APIs to trusted internal networks and enforcing strong authentication and authorization controls will reduce exposure. Regular security audits and monitoring for unusual file access or process execution related to h2o-3 instances are recommended to detect exploitation attempts early.