How do I fix CVE-2024-6863?

To fix CVE-2024-6863, it is advised to upgrade to version 3.46.1 or later of H2O-3, or implement proper access controls to the EncryptionTool endpoint.

Which versions of H2O-3 are affected by CVE-2024-6863?

CVE-2024-6863 affects H2O-3 versions from 3.32.1.2 to 3.46.0 inclusive.

What risks does CVE-2024-6863 pose to data security?

CVE-2024-6863 poses significant risks to data security, allowing unauthorized encryption of files which can lead to data loss or ransom demands.

Can CVE-2024-6863 be exploited remotely?

Yes, CVE-2024-6863 can be exploited remotely if the EncryptionTool endpoint is exposed to the internet.

Vulnerability/
CVE-2024-6863

medium

6.5

CWE

749

20/3/2025

CVE-2024-6863: Encryption of Arbitrary Files with Attacker-Controlled Key in h2oai/h2o-3

Q: What is the severity of CVE-2024-6863?

CVE-2024-6863 is a critical vulnerability that allows an attacker to encrypt any files on the target server, potentially leading to data loss and ransom-like scenarios.

First published: Thu Mar 20 2025(Updated: )

In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it possible for an attacker to encrypt arbitrary files with keys of their choice, making it exceedingly difficult for the target to recover the keys needed for decryption.

Credit: security@huntr.dev

Affected Software	Affected Version	How to fix
H2O-3
maven/ai.h2o:h2o-core	>=3.32.1.2<=3.46.0
pip/h2o	>=3.32.1.2<=3.46.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-6863?
CVE-2024-6863 is a critical vulnerability that allows an attacker to encrypt any files on the target server, potentially leading to data loss and ransom-like scenarios.
How do I fix CVE-2024-6863?
To fix CVE-2024-6863, it is advised to upgrade to version 3.46.1 or later of H2O-3, or implement proper access controls to the EncryptionTool endpoint.
Which versions of H2O-3 are affected by CVE-2024-6863?
CVE-2024-6863 affects H2O-3 versions from 3.32.1.2 to 3.46.0 inclusive.
What risks does CVE-2024-6863 pose to data security?
CVE-2024-6863 poses significant risks to data security, allowing unauthorized encryption of files which can lead to data loss or ransom demands.
Can CVE-2024-6863 be exploited remotely?
Yes, CVE-2024-6863 can be exploited remotely if the EncryptionTool endpoint is exposed to the internet.

agent/title
agent/weakness
agent/type
agent/description
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
collector/nvd-api
source/NVD
agent/author
agent/severity
collector/github-advisory-latest
source/GitHub
alias/GHSA-m37h-8r48-2cxj
alias/CVE-2024-6863
agent/last-modified-date
agent/references
agent/source
agent/softwarecombine
collector/nvd-cve
agent/tags
collector/mitre-cve
source/MITRE
collector/github-advisory
agent/event
vendor/h2oai
canonical/h2o-3
package-manager/maven
package-manager/pip

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.