CVE-2025-53636 is a medium severity vulnerability affecting Open OnDemand (ondemand), an open-source High Performance Computing (HPC) portal developed by the Open Science Grid Consortium (OSC). The vulnerability is categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-779 (Log Injection). It arises when users interact with the shell application component of ondemand in a manner that generates numerous errors, thereby flooding the system logs. This excessive logging leads to the creation of very large log files, which can exhaust disk space or other system resources, ultimately causing a Denial of Service (DoS) condition that disrupts the availability of the ondemand portal. The vulnerability affects ondemand versions from 1.6 up to but not including 3.1.14, and from 4.0.0-0.rc1 up to but not including 4.0.6. The flaw does not require user interaction and can be exploited remotely with low complexity, but requires low-level privileges (PR:L). The CVSS v3.1 base score is 5.4, reflecting a medium severity level with no impact on confidentiality, limited impact on integrity, and significant impact on availability. No known exploits are currently reported in the wild. The vulnerability has been addressed in ondemand versions 3.1.14 and 4.0.6, where proper controls on logging and resource consumption have been implemented to prevent log flooding and resource exhaustion.

For European organizations utilizing Open OnDemand as a portal for HPC resource management, this vulnerability poses a risk of service disruption. HPC environments are critical for research institutions, universities, and industries relying on computational resources for scientific simulations, data analysis, and engineering tasks. A successful exploitation could lead to denial of service, halting access to HPC resources and delaying critical workloads. This can impact research timelines, operational efficiency, and potentially lead to financial losses or reputational damage. Since ondemand is often deployed in multi-user environments, malicious or careless users could intentionally or unintentionally trigger this vulnerability, affecting all users of the system. The lack of confidentiality impact reduces risk of data leakage, but the availability impact is significant in environments where HPC portals are central to operations. Additionally, recovery from a DoS caused by log flooding may require administrative intervention and system restarts, increasing downtime.

European organizations should immediately verify their ondemand version and upgrade to 3.1.14 or 4.0.6 or later to apply the official patch. Until patched, administrators should implement strict user activity monitoring and limit the ability of users to generate excessive errors in the shell app. Implementing quota controls on log file sizes and disk usage can help prevent resource exhaustion. Additionally, configuring log rotation policies with aggressive rotation and compression can mitigate log file growth. Restricting shell app access to trusted users and enforcing least privilege principles reduces the risk of exploitation. Network-level controls such as rate limiting and anomaly detection can identify and block attempts to flood logs. Regular auditing of log files and system resource usage will help detect early signs of exploitation. Finally, organizations should prepare incident response plans to quickly recover from potential DoS events caused by this vulnerability.