CVE-2025-62724 is a vulnerability in Open OnDemand (OOD), a widely used open-source portal for high-performance computing (HPC) environments. The issue arises from a Time of Check to Time of Use (TOCTOU) race condition related to symbolic link (symlink) following during the process of downloading zip files. Specifically, when users request zip downloads, the system checks files against an allowlist (OOD_ALLOWLIST) to restrict access. However, due to the TOCTOU flaw, an attacker can manipulate symlinks between the check and the actual file access, causing the system to include files outside the allowlist in the zip archive. This can lead to unauthorized disclosure of files that should be restricted. The vulnerability affects all OOD versions before 4.0.8 and 3.1.16 that use file browser allowlists. Despite this, UNIX file permissions still apply, so attackers cannot access files they do not have permission for, limiting the scope to files accessible by the attacker but outside the intended allowlist. The CVSS v3.1 base score is 4.3 (medium), reflecting network attack vector, low complexity, requiring privileges but no user interaction, and limited confidentiality impact without integrity or availability effects. No known exploits have been reported in the wild as of now. The vulnerability has been addressed by patches in OOD versions 4.0.8 and 3.1.16, which fix the TOCTOU race condition and properly enforce allowlist restrictions during zip file generation.

For European organizations, particularly research institutions and HPC centers relying on Open OnDemand portals, this vulnerability poses a risk of unauthorized data disclosure. Attackers with valid user credentials but limited privileges could exploit the TOCTOU flaw to access files outside the configured allowlist, potentially exposing sensitive research data, intellectual property, or personally identifiable information stored on HPC systems. Although UNIX permissions still restrict access, misconfigurations or overly permissive file permissions could exacerbate the impact. The vulnerability does not allow privilege escalation or system compromise but undermines data confidentiality within HPC environments. Given the strategic importance of HPC in European scientific research, energy, and defense sectors, exploitation could lead to data leaks or compliance violations under GDPR if personal data is exposed. The lack of known exploits reduces immediate risk, but the medium severity and ease of exploitation warrant prompt remediation to protect sensitive assets.

1. Upgrade Open OnDemand installations to version 4.0.8 or 3.1.16 or later, where the vulnerability is patched. 2. Review and tighten file browser allowlist configurations to ensure only necessary directories and files are accessible. 3. Audit UNIX file permissions on HPC storage to minimize access to sensitive files by non-privileged users. 4. Implement monitoring and alerting for unusual zip download requests or file access patterns that could indicate exploitation attempts. 5. Educate HPC users about the risks of symlink manipulation and encourage reporting of suspicious behavior. 6. If immediate patching is not feasible, consider disabling zip file downloads or restricting this functionality to trusted users until patched. 7. Regularly review and update HPC portal security policies and perform penetration testing focused on file access controls and symlink handling.