Open OnDemand is a web-based platform that provides remote access to supercomputers, widely used in research and HPC environments. In versions 4.0.8 and earlier, a vulnerability identified as CVE-2025-66029 allows sensitive HTTP headers to be forwarded by the Apache proxy component to origin servers without sufficient protection. This flaw arises from insufficient credential protection (CWE-522) and improper handling of sensitive data in transit (CWE-523). An attacker with the ability to deploy or simulate an origin server on a compute node can capture these sensitive headers when legitimate users connect, potentially harvesting authentication tokens or session cookies. The vulnerability has a CVSS 3.1 base score of 7.6, indicating high severity, with an attack vector of network, low attack complexity, requiring privileges and user interaction, and impacting confidentiality severely and integrity partially. The maintainers plan to release a patch in version 4.1. Meanwhile, mitigations include using the `custom_location_directives` in the `ood_portal.yml` configuration file to unset or modify sensitive headers and adjusting the `OIDCPassClaimsAs` setting from its default `both` to `none` or `environment` to prevent passing sensitive claims to clients. Centers using OpenID Connect (OIDC) providers can also follow guidance from GHSA-2cwp-8g29-9q32 to unset mod_auth_openidc_session cookies, further reducing exposure. No known exploits are reported in the wild yet, but the potential for credential leakage in high-value HPC environments makes this a critical concern.

The vulnerability primarily threatens the confidentiality of sensitive credentials and authentication tokens used in Open OnDemand environments. If exploited, attackers can capture these credentials by tricking users into connecting to a malicious origin server on compute nodes, potentially gaining unauthorized access to HPC resources. This can lead to unauthorized job submissions, data exfiltration, or lateral movement within supercomputing clusters. The integrity impact is moderate, as attackers may manipulate session data or impersonate users, but availability is not directly affected. For European organizations, especially research institutions and national HPC centers relying on Open OnDemand, this could compromise sensitive scientific data and computational workloads. The risk is heightened in environments where users have privileges to deploy or access compute nodes, and where OIDC authentication is used with default settings. The lack of a patch at the time of disclosure means organizations must rely on configuration workarounds to mitigate risk. The threat could disrupt trust in HPC access mechanisms and lead to regulatory or compliance issues related to data protection under GDPR if sensitive user credentials are exposed.

1. Upgrade Open OnDemand to version 4.1 or later as soon as the patch becomes available to fully address the vulnerability. 2. For versions 4.0.x, implement the workaround by configuring `custom_location_directives` in the `ood_portal.yml` file to unset or modify sensitive headers before they reach origin servers. 3. Change the `OIDCPassClaimsAs` setting from the default `both` to `none` or `environment` to prevent passing sensitive claims to clients, reducing the risk of credential exposure. 4. Follow the guidance in GHSA-2cwp-8g29-9q32 to unset `mod_auth_openidc_session` cookies if using OIDC providers, further limiting session token leakage. 5. Restrict the ability of users to deploy or simulate origin servers on compute nodes, enforcing strict access controls and monitoring for unauthorized server instances. 6. Monitor network traffic and logs for unusual header forwarding or connections to unexpected origin servers. 7. Educate users about the risk of connecting to untrusted compute nodes and encourage verification of server authenticity. 8. Conduct regular security audits of Open OnDemand configurations and update them according to best practices to minimize exposure to similar vulnerabilities.