CVE-2025-62724 is a vulnerability in Open OnDemand (OOD), a widely used open-source portal for high-performance computing (HPC) environments. The flaw arises from a Time of Check to Time of Use (TOCTOU) race condition related to symbolic link (symlink) following when users download zip files through the OOD file browser. Specifically, before versions 4.0.8 and 3.1.16, the allowlist mechanism intended to restrict file access can be bypassed by crafting symlinks that point outside the allowed directories. This enables an attacker with at least limited privileges (PR:L) to access files outside the allowlist during the window between the check and the actual file use. However, UNIX file permissions remain enforced, limiting the scope of accessible files to those the user can legitimately read. The vulnerability is categorized under CWE-61 (Improper Restriction of Symbolic Links) and CWE-367 (Time-of-check Time-of-use Race Condition). The CVSS v3.1 base score is 4.3 (medium), with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality only. No known exploits have been reported in the wild, but the vulnerability poses a risk in HPC environments where sensitive data may be stored and accessed via OOD. The issue has been patched in OOD versions 4.0.8 and 3.1.16, and users are strongly advised to upgrade. The vulnerability highlights the importance of secure symlink handling and race condition mitigation in file access controls within HPC portals.

For European organizations, especially those operating HPC clusters and research facilities using Open OnDemand, this vulnerability could lead to unauthorized disclosure of sensitive data by allowing users to access files outside the intended allowlist. Although UNIX permissions limit file access, the flaw could expose internal configuration files, scripts, or data that should remain restricted, potentially aiding further attacks or data leakage. The impact is primarily on confidentiality, with no direct effect on data integrity or system availability. In research and academic institutions handling proprietary or personal data, this could violate data protection regulations such as GDPR if sensitive personal data is exposed. The medium severity rating reflects the limited scope but non-negligible risk in environments where OOD is deployed. Since HPC portals are often used collaboratively, an insider or compromised user account could exploit this vulnerability to escalate data access beyond intended boundaries. The absence of known exploits reduces immediate risk but does not eliminate the threat, making timely patching critical.

1. Upgrade all Open OnDemand installations to version 4.0.8 or later (or 3.1.16 or later for the 3.x branch) to apply the official patches addressing this vulnerability. 2. Review and tighten file browser allowlist configurations to ensure minimal necessary directories are accessible, reducing the attack surface. 3. Implement strict UNIX file permissions and regularly audit file access rights to ensure users cannot read sensitive files outside their scope. 4. Monitor HPC portal logs for unusual file access patterns or attempts to exploit symlink behavior. 5. Educate users about the risks of symlink attacks and encourage reporting of suspicious behavior. 6. Consider deploying additional file integrity monitoring tools to detect unauthorized file access or modifications. 7. If upgrading immediately is not feasible, restrict user privileges and access to the OOD file browser to trusted users only as a temporary measure.