CVE-2025-53636 (GCVE-0-2025-53636)
Vulnerability from cvelistv5
Published
2025-07-11 21:20
Modified
2025-07-14 20:13
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-779 - Logging of Excessive Data
Summary
Open OnDemand is an open-source HPC portal. Users can flood logs by interacting with the shell app and generating many errors. Users who flood logs can create very large log files causing a Denial of Service (DoS) to the ondemand system. This vulnerability is fixed in 3.1.14 and 4.0.6.
References
security-advisories@github.comhttps://github.com/OSC/ondemand/commit/40800d68cd019c5f1c48b2deafebba6dff4abee2
security-advisories@github.comhttps://github.com/OSC/ondemand/commit/96f29b995e1add7562516614e4dc8d961987e8b4
security-advisories@github.comhttps://github.com/OSC/ondemand/security/advisories/GHSA-x5xv-fw37-v524
Impacted products
Vendor Product Version
OSC ondemand Version: >= 1.6, < 3.1.14
Version: >= 4.0.0-0.rc1, < 4.0.6
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53636",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-14T14:45:51.860688Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-14T20:13:13.885Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ondemand",
          "vendor": "OSC",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.6, \u003c 3.1.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-0.rc1, \u003c 4.0.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open OnDemand is an open-source HPC portal. Users can flood logs by interacting with the shell app and generating many errors. Users who flood logs can create very large log files causing a Denial of Service (DoS) to the ondemand system. This vulnerability is fixed in 3.1.14 and 4.0.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-779",
              "description": "CWE-779: Logging of Excessive Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T21:20:14.261Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/OSC/ondemand/security/advisories/GHSA-x5xv-fw37-v524",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OSC/ondemand/security/advisories/GHSA-x5xv-fw37-v524"
        },
        {
          "name": "https://github.com/OSC/ondemand/commit/40800d68cd019c5f1c48b2deafebba6dff4abee2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OSC/ondemand/commit/40800d68cd019c5f1c48b2deafebba6dff4abee2"
        },
        {
          "name": "https://github.com/OSC/ondemand/commit/96f29b995e1add7562516614e4dc8d961987e8b4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OSC/ondemand/commit/96f29b995e1add7562516614e4dc8d961987e8b4"
        }
      ],
      "source": {
        "advisory": "GHSA-x5xv-fw37-v524",
        "discovery": "UNKNOWN"
      },
      "title": "Open OnDemand Shell App closed websocket DoS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53636",
    "datePublished": "2025-07-11T21:20:14.261Z",
    "dateReserved": "2025-07-07T14:20:38.390Z",
    "dateUpdated": "2025-07-14T20:13:13.885Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53636\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-11T22:15:25.400\",\"lastModified\":\"2025-07-15T13:14:49.980\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open OnDemand is an open-source HPC portal. Users can flood logs by interacting with the shell app and generating many errors. Users who flood logs can create very large log files causing a Denial of Service (DoS) to the ondemand system. This vulnerability is fixed in 3.1.14 and 4.0.6.\"},{\"lang\":\"es\",\"value\":\"Open OnDemand es un portal de HPC de c\u00f3digo abierto. Los usuarios pueden inundar los registros al interactuar con la aplicaci\u00f3n shell, lo que genera numerosos errores. Estos usuarios pueden crear archivos de registro muy grandes, lo que provoca una denegaci\u00f3n de servicio (DoS) en el sistema OnDemand. Esta vulnerabilidad se corrigi\u00f3 en las versiones 3.1.14 y 4.0.6.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"},{\"lang\":\"en\",\"value\":\"CWE-779\"}]}],\"references\":[{\"url\":\"https://github.com/OSC/ondemand/commit/40800d68cd019c5f1c48b2deafebba6dff4abee2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/OSC/ondemand/commit/96f29b995e1add7562516614e4dc8d961987e8b4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/OSC/ondemand/security/advisories/GHSA-x5xv-fw37-v524\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53636\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-14T14:45:51.860688Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-14T14:45:55.966Z\"}}], \"cna\": {\"title\": \"Open OnDemand Shell App closed websocket DoS\", \"source\": {\"advisory\": \"GHSA-x5xv-fw37-v524\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"OSC\", \"product\": \"ondemand\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.6, \u003c 3.1.14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.0.0-0.rc1, \u003c 4.0.6\"}]}], \"references\": [{\"url\": \"https://github.com/OSC/ondemand/security/advisories/GHSA-x5xv-fw37-v524\", \"name\": \"https://github.com/OSC/ondemand/security/advisories/GHSA-x5xv-fw37-v524\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/OSC/ondemand/commit/40800d68cd019c5f1c48b2deafebba6dff4abee2\", \"name\": \"https://github.com/OSC/ondemand/commit/40800d68cd019c5f1c48b2deafebba6dff4abee2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/OSC/ondemand/commit/96f29b995e1add7562516614e4dc8d961987e8b4\", \"name\": \"https://github.com/OSC/ondemand/commit/96f29b995e1add7562516614e4dc8d961987e8b4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open OnDemand is an open-source HPC portal. Users can flood logs by interacting with the shell app and generating many errors. Users who flood logs can create very large log files causing a Denial of Service (DoS) to the ondemand system. This vulnerability is fixed in 3.1.14 and 4.0.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-779\", \"description\": \"CWE-779: Logging of Excessive Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-11T21:20:14.261Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53636\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-14T20:13:13.885Z\", \"dateReserved\": \"2025-07-07T14:20:38.390Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-11T21:20:14.261Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.