Open OnDemand allowlist bypass using symlinks in directory downloads (TOCTOU)

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.

Basic Information

ID CVE-2025-62724

Source GitHub_M

Published Nov 20, 2025 at 16:53

Affected Product

Vendor OSC

Product ondemand

Version < 4.0.8

Affected Versions OSC ondemand < 4.0.8
OSC ondemand < 3.1.16

CWE Classification

CWE-61 CWE-367

References

github.com /OSC/ondemand/security/advisories/GHSA-vjpg-34px-gjrw

{
    "lastseen": "",
    "description": "Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a \"Time of Check to Time of Use\" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.",
    "published": "2025-11-20T16:53:13.495Z",
    "modified": "2025-11-20T16:53:13.495Z",
    "type": "cve",
    "title": "Open OnDemand allowlist bypass using symlinks in directory downloads (TOCTOU)",
    "source": "GitHub_M",
    "references": "https://github.com/OSC/ondemand/security/advisories/GHSA-vjpg-34px-gjrw",
    "id": "CVE-2025-62724",
    "bulletinFamily": "",
    "cwe": [
        "CWE-61",
        "CWE-367"
    ],
    "cvelist": null,
    "sourceData": "OSC ondemand < 4.0.8\nOSC ondemand < 3.1.16",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ondemand",
    "version": "< 4.0.8",
    "vendor": "OSC",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Open OnDemand allowlist bypass using symlinks in directory downloads (TOCTOU)_CVE-2025-62724