CVE-2025-62724

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-62724

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62724.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-62724

Aliases

GHSA-vjpg-34px-gjrw

Published

2025-11-20T16:53:13.495Z

Modified

2025-12-05T10:21:24.557793Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Open OnDemand allowlist bypass using symlinks in directory downloads (TOCTOU)

Details

Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62724.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-367",
        "CWE-61"
    ]
}

References

Affected packages

Git / github.com/osc/ondemand

Affected ranges

Type

GIT

Repo

https://github.com/osc/ondemand

Events

Introduced

Fixed

6a7b588dd12821f4554a1be7fa11a6b6ab6c7dc1

Fixed

b2d1f2a392acb060bb76d2c4f52fe58c156d69c1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.0.8"
        },
        {
            "fixed": "3.1.16"
        }
    ]
}

Affected versions

v.*

v.3.1.3

v1.*

v1.2.1

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.4.0

v1.4.1

v1.4.10

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.8

v1.4.9

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.6

v1.6.0

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.12_citest

v1.6.13

v1.6.14

v1.6.15

v1.6.16

v1.6.17

v1.6.17-2

v1.6.18

v1.6.18_rc1

v1.6.18_rc2

v1.6.19

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.8_cr1

v1.6.8_cr3

v1.6.9

v1.7.0

v1.7.0-2

v1.7.0_rc1

v1.7.0_rc2

v1.7.1

v1.7.10

v1.7.10-2

v1.7.11

v1.7.12

v1.7.14

v1.7.2

v1.7.2_demo

v1.7.2_demo-2

v1.7.3

v1.7.3-2

v1.7.3-3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.7_rc1

v1.7.7_rc2

v1.7.7_rc3

v1.7.7_rc4

v1.7.7_rc5

v1.7.7_rc5-2

v1.7.8

v1.7.9

v1.8.0

v1.8.1

v1.8.10

v1.8.11

v1.8.12

v1.8.13

v1.8.13-2

v1.8.14

v1.8.15

v1.8.16

v1.8.17

v1.8.18

v1.8.19-2

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v2.*

v2.0.0

v2.0.1

v2.0.10

v2.0.11

v2.0.12

v2.0.13

v2.0.14

v2.0.15

v2.0.16

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.0-0.rc1

v2.1.0-0.rc2

v2.1.0-0.rc3

v2.1.0-0.rc4

v2.1.0-0.rc5

v2.1.0-0.rc6

v2.1.0-0.rc7

v2.1.0-0.rc8

v2.1.0-0.rc9

v2.1.0-0.start

v2.1.0-0.start.1

v2.1.0-0.start.2

v2.1.0-0.start.3

v2.1.0-0.start.4

v3.*

v3.0.0

v3.0.0-0.rc1

v3.0.1

v3.1.0

v3.1.0-0.1.start.1

v3.1.0-0.rc1

v3.1.0-0.rc2

v3.1.1

v3.1.10

v3.1.11

v3.1.12

v3.1.13

v3.1.14

v3.1.15

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v4.*

v4.0.0

v4.0.0-0.rc1

v4.0.0-0.start.1

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62724.json"