Home > Vulnerability Database > CVE-2025-62724

Mend.io Vulnerability Database

CVE-2025-62724

Good to know:

Date: November 20, 2025

Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.

Severity Score

4.3

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62724

Url: https://github.com/OSC/ondemand/security/advisories/GHSA-vjpg-34px-gjrw

Url: https://www.mend.io/vulnerability-database/CVE-2025-62724

Severity Score

4.3

Weakness Type (CWE)

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367

UNIX Symbolic Link (Symlink) Following

CWE-61

Top Fix

Upgrade Version

Upgrade to version https://github.com/OSC/ondemand.git - v4.0.8;https://github.com/OSC/ondemand.git - v3.1.16

Learn More

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62724

Good to know:

Date: November 20, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?