CVE: CVE-2024-5986 Vulnerability Type: CWE-918: External Control of File Name or Path Severity: Critical (9.1) Affected Version: 3.46.0.1 Status: Awaiting fix Impact The main impact of this vulnerability is being able to write arbitrary data to any arbitrary file on a remote server running h2o-3. This can lead to remote code execution and complete access to the system. References Report detailing the first arbitrary file write Key Technical Details The vulnerability is an extension of an unfixed vulnerability reported earlier. The attack allows for arbitrary file writes by injecting data through the endpoint. The data needs to be parsed and saved as a CSV through the endpoint. The parsed file header data can be injected to avoid parsing issues. Example commands are provided for starting the server, uploading a malicious file, parsing the file, and exporting the file. The exploit can overwrite critical files like private SSH keys or script files, leading to remote access or script execution.