CVE-2025-66029 – Open OnDemand versions 4.0.8 and earlier have a... (How to Fix)

Q: What is the severity of CVE-2025-66029?

CVE-2025-66029 has a CVSS score of 7.6 (HIGH). Open OnDemand versions 4.0.8 and earlier have a vulnerability where the Apache proxy passes sensitive headers to origin servers. This allows malicious users to set up servers on compute nodes that can capture these headers when other users connect to them. Organizations using Open OnDemand 4.0.8 or earlier are affected.

📋 TL;DR

Open OnDemand versions 4.0.8 and earlier have a vulnerability where the Apache proxy passes sensitive headers to origin servers. This allows malicious users to set up servers on compute nodes that can capture these headers when other users connect to them. Organizations using Open OnDemand 4.0.8 or earlier are affected.

💻 Affected Systems

Products:

Open OnDemand

Versions: 4.0.8 and prior

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration with OIDCPassClaimsAs 'both' is vulnerable. Versions below 4.0 cannot use the custom_location_directives workaround.

📦 What is this software?

Open Ondemand by Osc

View all CVEs affecting Open Ondemand →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could capture sensitive authentication headers and session cookies, potentially leading to account compromise and unauthorized access to supercomputing resources.

🟠

Likely Case

Attackers could harvest session cookies and authentication tokens to impersonate legitimate users and access their compute resources.

🟢

If Mitigated

With proper header filtering configured, sensitive information is not exposed to compute nodes, preventing credential capture.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to run a malicious origin server on a compute node and trick users to connect to it.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1 (anticipated)

Vendor Advisory: https://github.com/OSC/ondemand/security/advisories/GHSA-2cwp-8g29-9q32

Restart Required: Yes

Instructions:

1. Monitor for Open OnDemand 4.1 release. 2. Upgrade to version 4.1 when available. 3. Restart Apache service after upgrade.

🔧 Temporary Workarounds

Configure custom_location_directives in ood_portal.yml

linux

Modify Apache proxy configuration to unset or edit sensitive headers

Edit /etc/ood/config/ood_portal.yml and add custom_location_directives to unset headers like mod_auth_openidc_session

Change OIDCPassClaimsAs setting

linux

Set OIDCPassClaimsAs to 'none' or 'environment' instead of default 'both'

Set OIDCPassClaimsAs: none in ood_portal.yml configuration

🧯 If You Can't Patch

Implement network segmentation to isolate compute nodes from user access
Monitor for unusual compute node network activity and unauthorized servers

🔍 How to Verify

Check if Vulnerable:

Check Open OnDemand version and verify OIDCPassClaimsAs setting in ood_portal.yml

Check Version:

ondemand --version

Verify Fix Applied:

Verify headers are not being passed to origin servers by testing with a controlled origin server

📡 Detection & Monitoring

Log Indicators:

Unusual compute node network connections
Multiple failed authentication attempts from compute nodes

Network Indicators:

Unexpected HTTP servers running on compute nodes
Suspicious traffic patterns from compute nodes to external systems

SIEM Query:

source="apache" AND ("mod_auth_openidc" OR "OIDC") AND dest_ip IN compute_node_subnet

📊 Metadata

CVE ID: CVE-2025-66029

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CWE: CWE-522

EPSS Score: 0.03% exploit probability (9.2th percentile)

Published: December 17, 2025

Last Updated: February 18, 2026

🔗 References

https://github.com/OSC/ondemand/security/advisories/GHSA-2cwp-8g29-9q32 Vendor Advisory,Mitigation

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66029, you might also want to check these: