All H2 Database CVEs — Complete Vulnerability History
H2 is an in-memory Java SQL database widely used in testing and development. Its critical CVE is RCE via the H2 console — which should never be exposed in production.
Java/Maven
Millions weekly downloads
2 CVEs total
2 CRITICAL
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2021-42392 | 2021 | CRITICAL | RCE via JNDI lookup (Log4Shell-like) in H2 console | Fixed 2.0.206 |
| CVE-2022-45868 | 2022 | CRITICAL | RCE via H2 console JNDI injection | Fixed 2.2.220 |
Current safe version: 2.2.224
# Before2.1.210
# After2.2.224
Then run: mvn dependency:resolve
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is H2 console safe in production?
No — disable H2 console in production environments. Set spring.h2.console.enabled=false in Spring Boot. The console should only ever run in local development.