CVE-2025-64185 identifies a security vulnerability in Open OnDemand, a widely used open-source portal for high-performance computing (HPC) environments. The vulnerability stems from the creation of world-writable directories within the GEM_PATH environment variable in versions prior to 4.0.8 and 3.1.16. GEM_PATH is used by RubyGems to locate libraries and executables, and if directories in this path are world-writable, attackers can insert or modify malicious code or libraries that the HPC portal may load or execute. This constitutes an insecure inherited permissions issue (CWE-277) and improper control over critical resources (CWE-552). The vulnerability is remotely exploitable without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact primarily affects integrity, allowing attackers to potentially execute arbitrary code or alter application behavior by manipulating GEM_PATH contents. The CVSS score of 6.9 reflects a medium severity level, balancing ease of exploitation with limited scope of impact. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to HPC environments that rely on Open OnDemand for user access and job management. The issue has been addressed in Open OnDemand versions 4.0.8 and 3.1.16 through patches that remove world-writable permissions from GEM_PATH directories, thereby preventing unauthorized modifications.

For European organizations, especially those operating HPC clusters and research computing facilities, this vulnerability could lead to unauthorized code execution or manipulation of HPC job workflows. Such integrity compromises may result in corrupted computational results, unauthorized data access, or disruption of critical scientific workloads. Given the collaborative nature of HPC environments, an attacker exploiting this vulnerability could escalate privileges or move laterally within the network. The impact extends to academic institutions, government research centers, and industries relying on HPC for simulations, data analysis, or modeling. Disruption or manipulation of HPC resources can delay research, cause financial losses, and damage reputations. Since Open OnDemand is widely adopted in European HPC centers, the vulnerability presents a tangible risk if unpatched. However, the lack of known exploits and the medium severity rating suggest that immediate catastrophic impact is unlikely but should not be underestimated.

1. Upgrade Open OnDemand installations to versions 4.0.8 or 3.1.16 or later to apply official patches that fix the insecure permissions issue. 2. Audit and correct file system permissions on GEM_PATH directories to ensure they are not world-writable; restrict write permissions to trusted administrators only. 3. Implement strict access controls and monitoring on HPC portal environments to detect unauthorized changes to environment variables and directory permissions. 4. Employ runtime integrity monitoring tools to detect unexpected modifications in GEM_PATH or loaded libraries. 5. Educate HPC administrators about the risks of inherited permissions and enforce secure configuration management practices. 6. Consider isolating HPC portal services in containers or sandboxes to limit the impact of potential exploitation. 7. Regularly review and update HPC software dependencies and environment configurations to minimize exposure to similar vulnerabilities.