CVE-2024-7765

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-409
View all →

Vulnerability Description

In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion and a large number of concurrent slow-running jobs. This issue arises from the improper handling of highly compressed data, leading to significant data amplification.

Related Vulnerabilities

CVE-2024-28101

HIGH
CVSS:7.5(High)

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. ...

CWE-4092024

CVE-2024-3572

HIGH
CVSS:7.5(High)

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows...

CWE-4092024

CVE-2025-30153

HIGH
CVSS:7.5(High)

kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted...

CWE-4092025

CVE-2025-46730

MEDIUM
CVSS:6.8(Medium)

MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other security tools and web applications. Access t...

CWE-4092025

CVE-2023-0475

MEDIUM
CVSS:6.5(Medium)

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

CWE-4092023