CVE-2025-66029

Name of the Vulnerable Software and Affected Versions Open OnDemand versions prior to 4.1

Description Open OnDemand provides remote web access to supercomputers. The Apache proxy in versions 4.0.8 and earlier allows sensitive headers to be passed to origin servers. This could allow malicious users to create an origin server on a compute node to record these headers when unsuspecting users connect to it. The OIDCPassClaimsAs setting can be adjusted to none or environment to stop passing headers to the client. For centers with an OIDC provider, the mod auth openidc session cookies can be adjusted using guidance provided in GHSA-2cwp-8g29-9q32.

Recommendations Versions prior to 4.1 should be updated when the 4.1 release is available. For versions 4.0.x, use custom location directives in ood portal.yml to unset or edit sensitive headers. Set OIDCPassClaimsAs to none or environment. Adjust the mod auth openidc session cookies using guidance provided in GHSA-2cwp-8g29-9q32 for centers with an OIDC provider.