CVE-2025-62724
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-62724, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-20

Last updated on: 2025-11-20

Assigner: GitHub, Inc.

Description

Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-20
Last Modified
2025-11-20
Generated
2026-07-06
AI Q&A
2025-11-20
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opendondemand opendondemand *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Open OnDemand allows users to perform a Time of Check to Time of Use (TOCTOU) attack when downloading zip files, enabling access to files outside of the configured file browser allowlist (OOD_ALLOWLIST). Although the files accessed are still protected by UNIX permissions, this flaw affects all current versions of Open OnDemand prior to versions 4.0.8 and 3.1.16, which have been patched.

Impact Analysis

The vulnerability can allow unauthorized users to access files outside of the intended allowlist by exploiting the TOCTOU flaw during zip file downloads. This could lead to exposure of sensitive files if UNIX permissions are not properly restrictive, potentially compromising data confidentiality.

Mitigation Strategies

Upgrade Open OnDemand to version 4.0.8 or later, or 3.1.16 or later, as these versions have been patched to fix the TOCTOU vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62724. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart