CVE-2025-62724
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-20

Last updated on: 2025-11-20

Assigner: GitHub, Inc.

Description
Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-20
Last Modified
2025-11-20
Generated
2026-06-16
AI Q&A
2025-11-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62724
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opendondemand opendondemand *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Open OnDemand allows users to perform a Time of Check to Time of Use (TOCTOU) attack when downloading zip files, enabling access to files outside of the configured file browser allowlist (OOD_ALLOWLIST). Although the files accessed are still protected by UNIX permissions, this flaw affects all current versions of Open OnDemand prior to versions 4.0.8 and 3.1.16, which have been patched.

Impact Analysis

The vulnerability can allow unauthorized users to access files outside of the intended allowlist by exploiting the TOCTOU flaw during zip file downloads. This could lead to exposure of sensitive files if UNIX permissions are not properly restrictive, potentially compromising data confidentiality.

Mitigation Strategies

Upgrade Open OnDemand to version 4.0.8 or later, or 3.1.16 or later, as these versions have been patched to fix the TOCTOU vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62724. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart