CVE-2025-66029 in ondemand
Summary
by MITRE • 12/18/2025
Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create an origin server on a compute node that record these headers when unsuspecting users connect to it. Maintainers anticipate a patch in a 4.1 release. Workarounds exist for 4.0.x versions. Using `custom_location_directives` in `ood_portal.yml` in version 4.0.x (not available for versions below 4.0) centers can unset and or edit these headers. Note that `OIDCPassClaimsAs both` is the default and centers can set `OIDCPassClaimsAs ` to `none` or `environment` to stop passing these headers to the client. Centers that have an OIDC provider with the `OIDCPassClaimsAs` with `none` or `environment` settings can adjust the settings using guidance provided in GHSA-2cwp-8g29-9q32 to unset the mod_auth_openidc_session cookies.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/18/2025
The vulnerability identified as CVE-2025-66029 affects Open OnDemand versions 4.0.8 and earlier, presenting a critical security flaw in the Apache proxy configuration that enables unauthorized access to sensitive header information. This issue arises from the proxy's failure to properly sanitize headers before forwarding them to origin servers, creating an attack vector where malicious actors can exploit the system's trust model to capture confidential data. The flaw specifically targets the handling of authentication and session headers that are typically stripped or modified in secure proxy configurations but remain exposed in the vulnerable versions.
The technical implementation of this vulnerability stems from the default behavior of Open OnDemand's Apache proxy module, which indiscriminately forwards headers including authentication tokens, session identifiers, and user claims to backend servers without proper filtering. This misconfiguration allows attackers to establish malicious origin servers on compute nodes that can capture and record these headers when legitimate users connect to them. The vulnerability aligns with CWE-200, which addresses information exposure through improper header handling, and represents a significant deviation from secure proxy practices that should prevent sensitive data leakage between network components. The default setting of `OIDCPassClaimsAs both` in the authentication configuration exacerbates the risk by ensuring that user claims are passed in both header and environment variable formats, providing multiple attack surfaces for information disclosure.
The operational impact of this vulnerability extends beyond simple data leakage, as captured headers may contain sensitive authentication tokens, user identifiers, and session information that could enable attackers to impersonate legitimate users or escalate privileges within the supercomputing environment. Organizations relying on Open OnDemand for remote access to high-performance computing resources face potential unauthorized access to computational assets, data processing capabilities, and potentially sensitive research data. The vulnerability particularly affects academic and research institutions that use Open OnDemand to provide secure access to shared computing resources, where the compromise of authentication headers could lead to unauthorized resource consumption and potential data breaches. This flaw represents a significant concern for organizations following security frameworks such as NIST SP 800-53, which emphasizes the importance of protecting authentication information and preventing unauthorized access to computing resources.
The mitigation strategies for this vulnerability include both immediate workarounds and long-term solutions. Organizations using Open OnDemand 4.0.x versions can implement custom location directives in the `ood_portal.yml` configuration file to explicitly unset or modify sensitive headers before they reach origin servers. This approach directly addresses the root cause by preventing header propagation through the proxy layer and aligns with the principle of least privilege in secure system design. The recommended configuration change involves setting `OIDCPassClaimsAs` to either `none` or `environment` instead of the default `both` setting, effectively eliminating the exposure of user claims through HTTP headers. Additionally, organizations can leverage the guidance provided in GHSA-2cwp-8g29-9q32 to properly configure mod_auth_openidc session cookies and ensure that authentication tokens are not inadvertently passed to client applications. The planned patch in version 4.1 addresses the core configuration issue by implementing proper header sanitization and default security settings that prevent unauthorized information disclosure. Organizations should also consider implementing network segmentation, monitoring for unusual header patterns, and regular security assessments to detect potential exploitation attempts. This vulnerability demonstrates the critical importance of secure proxy configuration and proper authentication header handling in distributed computing environments, where the exposure of authentication information can compromise entire computing infrastructures. The fix requires careful implementation to maintain functionality while eliminating the security risk, and organizations should test configuration changes in non-production environments before deployment to ensure continued service availability.