Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-66029
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-17 Dec, 2025 | 23:16
Updated At-18 Feb, 2026 | 19:42

Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create an origin server on a compute node that record these headers when unsuspecting users connect to it. Maintainers anticipate a patch in a 4.1 release. Workarounds exist for 4.0.x versions. Using `custom_location_directives` in `ood_portal.yml` in version 4.0.x (not available for versions below 4.0) centers can unset and or edit these headers. Note that `OIDCPassClaimsAs both` is the default and centers can set `OIDCPassClaimsAs ` to `none` or `environment` to stop passing these headers to the client. Centers that have an OIDC provider with the `OIDCPassClaimsAs` with `none` or `environment` settings can adjust the settings using guidance provided in GHSA-2cwp-8g29-9q32 to unset the mod_auth_openidc_session cookies.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.6HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CPE Matches
osc
osc
>>open_ondemand>>Versions up to 4.0.8(inclusive)
cpe:2.3:a:osc:open_ondemand:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-522Primarysecurity-advisories@github.com
CWE-523Primarysecurity-advisories@github.com
CWE ID: CWE-522
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-523
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/OSC/ondemand/security/advisories/GHSA-2cwp-8g29-9q32security-advisories@github.com
Vendor Advisory
Mitigation
Hyperlink: https://github.com/OSC/ondemand/security/advisories/GHSA-2cwp-8g29-9q32
Source: security-advisories@github.com
Resource:
Vendor Advisory
Mitigation
Change History
0Changes found
Details not found