Open OnDemand is a web-based platform that provides remote access to supercomputers, widely used in HPC environments. Versions 4.0.8 and earlier contain a vulnerability (CVE-2025-66029) where the Apache proxy component forwards sensitive HTTP headers to origin servers without sufficient protection. This behavior allows a malicious user with some level of access to deploy a rogue origin server on a compute node, which can then capture these sensitive headers when legitimate users connect. The headers may contain authentication tokens or session cookies, leading to credential exposure (CWE-522) and insufficient credential protection (CWE-523). The default configuration uses `OIDCPassClaimsAs both`, which passes claims both as headers and environment variables, increasing risk. Administrators can mitigate exposure by modifying `ood_portal.yml` using `custom_location_directives` to unset or edit headers, and by setting `OIDCPassClaimsAs` to `none` or `environment` to reduce header transmission. These mitigations are available for 4.0.x versions but not earlier. A patch is anticipated in the 4.1 release to address this issue fully. The CVSS 3.1 score of 7.6 reflects a network attack vector with low complexity, requiring privileges and user interaction, with high confidentiality impact, limited integrity impact, and no availability impact. No known exploits are currently in the wild, but the vulnerability poses a significant risk to HPC environments relying on Open OnDemand for remote access.

For European organizations, particularly those operating supercomputing centers and HPC clusters, this vulnerability poses a substantial risk to the confidentiality of user credentials and session tokens. Exposure of these credentials could allow attackers to impersonate legitimate users, gain unauthorized access to sensitive computational resources, and potentially exfiltrate or manipulate sensitive scientific or industrial data. Given the critical role of HPC in research, energy, finance, and defense sectors across Europe, such breaches could disrupt operations and compromise intellectual property. Although the vulnerability does not directly affect system integrity or availability, the loss of confidentiality alone can have severe operational and reputational consequences. The requirement for some privileges and user interaction limits exploitation to insiders or targeted attacks, but the impact remains high due to the sensitivity of the affected environments.

European HPC centers should immediately review their Open OnDemand configurations, especially if running version 4.0.8 or earlier. Administrators should implement the workaround by editing `ood_portal.yml` to include `custom_location_directives` that unset or modify sensitive headers before they reach origin servers. Changing the `OIDCPassClaimsAs` setting from the default `both` to `none` or `environment` reduces the risk of header leakage. Centers using OIDC providers should follow guidance from GHSA-2cwp-8g29-9q32 to unset `mod_auth_openidc_session` cookies appropriately. Monitoring internal network traffic for unauthorized origin servers on compute nodes can help detect attempts to exploit this vulnerability. Planning and testing the upgrade to Open OnDemand 4.1, once released, is critical for a permanent fix. Additionally, implementing strict access controls and auditing user activities on compute nodes can reduce the risk of malicious origin server deployment.