CVE-2025-64185 identifies a vulnerability in Open OnDemand, a widely used open-source portal for high-performance computing (HPC) environments. The vulnerability stems from the creation of world-writable directories within the GEM_PATH environment variable by Open OnDemand packages in versions prior to 4.0.8 and 3.1.16. GEM_PATH is used by RubyGems to locate gem files, and having world-writable locations in this path allows unauthorized users to insert or modify files that the HPC portal may load or execute. This insecure inherited permission issue (CWE-277) combined with the potential for unauthorized file modification (CWE-552) can lead to integrity violations within the HPC environment. The vulnerability is remotely exploitable without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The CVSS 4.0 base score of 6.9 classifies it as medium severity, reflecting the moderate impact on system integrity and the ease of exploitation. While no known exploits are currently reported in the wild, the vulnerability poses a risk to HPC portals that rely on Open OnDemand, especially those that have not applied the patches in versions 4.0.8 or 3.1.16. The issue highlights the importance of secure permission management in HPC software environments, where unauthorized code execution or modification can disrupt critical scientific computations or data processing workflows.

For European organizations, particularly those operating HPC clusters in academic, research, and industrial sectors, this vulnerability could lead to unauthorized modification of HPC portal components or injected malicious code. This compromises the integrity of computational jobs, potentially leading to incorrect scientific results or data corruption. The availability of HPC resources could also be indirectly affected if malicious actors exploit this vulnerability to disrupt service or escalate privileges. Given the remote, unauthenticated nature of the exploit, attackers could leverage this flaw to gain footholds in HPC environments, which are often interconnected with sensitive research data and intellectual property. The impact is especially critical for institutions involved in sensitive research fields such as pharmaceuticals, climate modeling, and defense-related simulations. Additionally, the vulnerability could be exploited to propagate malware or ransomware within HPC infrastructures, amplifying operational and reputational damage. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should immediately upgrade Open OnDemand installations to versions 4.0.8 or 3.1.16, which contain patches addressing the insecure permission issue. In addition to patching, administrators must audit the GEM_PATH environment variable and all directories it references to ensure no world-writable permissions exist. Implement strict filesystem permission policies that restrict write access to trusted users only. Regularly monitor HPC portal logs and file integrity to detect unauthorized changes. Employ role-based access controls (RBAC) within HPC environments to limit the scope of potential exploitation. Consider isolating HPC portal services in containerized or sandboxed environments to reduce the impact of any compromise. Finally, integrate vulnerability scanning and configuration management tools tailored for HPC systems to proactively identify and remediate insecure permissions or configurations.