CVE-2025-62724
BaseFortify
Publication date: 2025-11-20
Last updated on: 2025-11-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opendondemand | opendondemand | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Open OnDemand allows users to perform a Time of Check to Time of Use (TOCTOU) attack when downloading zip files, enabling access to files outside of the configured file browser allowlist (OOD_ALLOWLIST). Although the files accessed are still protected by UNIX permissions, this flaw affects all current versions of Open OnDemand prior to versions 4.0.8 and 3.1.16, which have been patched.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized users to access files outside of the intended allowlist by exploiting the TOCTOU flaw during zip file downloads. This could lead to exposure of sensitive files if UNIX permissions are not properly restrictive, potentially compromising data confidentiality.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Open OnDemand to version 4.0.8 or later, or 3.1.16 or later, as these versions have been patched to fix the TOCTOU vulnerability.