Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66029

CVE-2025-66029: Open OnDemand Information Disclosure Flaw

CVE-2025-66029 is an information disclosure vulnerability in Open OnDemand where Apache proxy passes sensitive headers to origin servers. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-66029 Overview

CVE-2025-66029 affects Open OnDemand, a web portal that provides remote access to high-performance computing (HPC) and supercomputer environments. In versions 4.0.8 and prior, the Apache proxy forwards sensitive HTTP headers, including authentication-related claims and mod_auth_openidc_session cookies, to origin servers running on compute nodes. A malicious user can stand up a rogue origin server on a compute node and capture these headers from unsuspecting users who connect to it. The flaw is tracked under [CWE-522: Insufficiently Protected Credentials].

Critical Impact

Authenticated attackers operating on compute nodes can harvest OIDC claims and session cookies belonging to other Open OnDemand users, enabling credential theft and session compromise.

Affected Products

  • Open OnDemand versions 4.0.0 through 4.0.8
  • Open OnDemand deployments using OIDCPassClaimsAs both (the default)
  • HPC and research computing centers running unpatched Open OnDemand portals

Discovery Timeline

  • 2025-12-17 - CVE-2025-66029 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2025-66029

Vulnerability Analysis

Open OnDemand uses an Apache HTTP Server proxy to broker connections between authenticated users and applications running on backend compute nodes. The proxy passes the user's authentication context to these backends so applications can identify the requesting user. In affected versions, this forwarding is too permissive: sensitive headers such as OIDC claim headers and the mod_auth_openidc_session cookie are passed verbatim to any origin server the user reaches through the proxy.

Because compute nodes are typically shared resources where multiple users can launch arbitrary workloads, a malicious tenant can run a lightweight HTTP listener on a compute node they control. When another user is induced to connect to that listener through the Open OnDemand proxy, the listener logs the forwarded headers and harvests the victim's session material.

Root Cause

The root cause lies in the default Apache proxy configuration shipped with Open OnDemand. The OIDCPassClaimsAs directive defaults to both, which forwards OIDC claims as HTTP request headers in addition to environment variables. The proxy configuration also fails to strip the mod_auth_openidc_session cookie before forwarding requests to origin servers, leaving authentication state exposed to backend processes.

Attack Vector

Exploitation requires an authenticated attacker with the ability to run processes on a compute node reachable through the Open OnDemand reverse proxy. The attacker binds a malicious HTTP server to a port on the compute node and waits for, or socially engineers, a victim user into navigating to the malicious origin through the portal. The proxy then forwards the victim's OIDC claims and session cookie to the attacker's listener, which captures them for later replay or impersonation. User interaction is required, consistent with the published CVSS vector.

No verified public exploit code is available. See the GitHub Security Advisory GHSA-2cwp-8g29-9q32 for additional technical context.

Detection Methods for CVE-2025-66029

Indicators of Compromise

  • Unexpected user-launched HTTP listeners on compute nodes, particularly bound to ports reachable from the Open OnDemand proxy host
  • Apache access logs showing proxied requests to unusual or user-controlled URLs containing OIDC claim headers
  • Compute-node processes reading or logging headers matching OIDC_CLAIM_* or cookie names starting with mod_auth_openidc_session

Detection Strategies

  • Inventory the Open OnDemand version in use and flag installations at 4.0.8 or earlier
  • Audit ood_portal.yml for the presence and contents of custom_location_directives and verify whether sensitive headers are unset
  • Inspect Apache configuration for the active OIDCPassClaimsAs setting and confirm it is not left at the default both

Monitoring Recommendations

  • Forward Apache proxy access and error logs to a centralized log platform and alert on requests carrying OIDC headers to non-standard backend destinations
  • Monitor compute-node process telemetry for unauthorized HTTP servers spawned by interactive user sessions
  • Track outbound proxy connections from the Open OnDemand host to compute node ports not associated with sanctioned interactive applications

How to Mitigate CVE-2025-66029

Immediate Actions Required

  • Apply Open OnDemand 4.1 once released by the Ohio Supercomputer Center, which is expected to contain the upstream fix
  • For 4.0.x deployments, configure custom_location_directives in ood_portal.yml to unset or rewrite sensitive headers before they reach origin servers
  • Change OIDCPassClaimsAs from the default both to none or environment so OIDC claims are not transmitted as HTTP headers
  • Follow the cookie-stripping guidance in GHSA-2cwp-8g29-9q32 to unset mod_auth_openidc_session cookies on proxied requests

Patch Information

Maintainers have indicated a fix will ship in the Open OnDemand 4.1 release. No patched 4.0.x version is currently available, so administrators must apply the documented configuration workarounds until 4.1 is published. Refer to the Open OnDemand Security Advisory for the authoritative remediation steps.

Workarounds

  • Use custom_location_directives in ood_portal.yml (available in 4.0.x only) to RequestHeader unset the OIDC claim headers and the session cookie on proxied requests
  • Set OIDCPassClaimsAs none or OIDCPassClaimsAs environment in the OIDC provider configuration to stop passing claim headers to clients
  • Restrict which ports on compute nodes the Open OnDemand proxy is permitted to reach, limiting where a rogue origin server can be exposed
bash
# Example ood_portal.yml snippet to strip sensitive headers
custom_location_directives: |
  RequestHeader unset Cookie
  RequestHeader unset OIDC_CLAIM_sub
  RequestHeader unset OIDC_CLAIM_email
  RequestHeader unset OIDC_CLAIM_preferred_username
  RequestHeader edit Cookie "mod_auth_openidc_session=[^;]+;?\s*" ""

# Then regenerate the Apache configuration
sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
sudo systemctl reload httpd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.