CVE-2025-62724
📋 TL;DR
Open OnDemand HPC portal versions before 4.0.8 and 3.1.16 contain a TOCTOU vulnerability in zip file downloads that could allow authenticated users to bypass file allowlist restrictions. This affects sites using file browser allowlists, though accessed files remain protected by UNIX permissions. The vulnerability requires user interaction and specific conditions to exploit.
💻 Affected Systems
- Open OnDemand
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Authenticated users could access sensitive files outside the allowlist that their UNIX permissions permit, potentially exposing configuration files, logs, or other restricted data.
Likely Case
Limited information disclosure of files that users already have some UNIX permissions to access, but which are intentionally excluded from the OOD_ALLOWLIST.
If Mitigated
No impact if proper UNIX permissions are configured, as the vulnerability only bypasses the application-level allowlist, not OS-level file permissions.
🎯 Exploit Status
Exploitation requires authenticated user access and specific timing conditions (TOCTOU).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.8 or 3.1.16
Vendor Advisory: https://github.com/OSC/ondemand/security/advisories/GHSA-vjpg-34px-gjrw
Restart Required: Yes
Instructions:
1. Identify your Open OnDemand version. 2. Upgrade to version 4.0.8 if using v4.x, or 3.1.16 if using v3.x. 3. Restart the Open OnDemand service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable file downloads
linuxTemporarily disable zip file download functionality in Open OnDemand configuration
# Edit Open OnDemand configuration to disable file downloads
Restrict user permissions
linuxTighten UNIX file permissions on sensitive directories to limit potential exposure
chmod 750 /sensitive/directories
chown root:root /sensitive/directories
🧯 If You Can't Patch
- Implement strict UNIX file permissions to limit what users can access even if they bypass the allowlist
- Monitor for unusual file access patterns and implement additional access controls
🔍 How to Verify
Check if Vulnerable:
Check Open OnDemand version. If version is below 4.0.8 (for v4.x) or below 3.1.16 (for v3.x), the system is vulnerable.Check Version:
ood --version # or check Open OnDemand web interface versionVerify Fix Applied:
Verify Open OnDemand version is 4.0.8 or higher (for v4.x) or 3.1.16 or higher (for v3.x). Test zip file downloads to ensure they respect allowlist restrictions.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns via Open OnDemand file browser
- Multiple failed/successful attempts to download files outside normal patterns
Network Indicators:
- Increased file download activity from single users
- Unusual timing patterns in file requests
SIEM Query:
source="openondemand" AND (event="file_download" OR event="zip_extract") AND file_path NOT IN allowed_paths