HTCONDOR-2025-0001

HTCondor
Overview
Download
Documentation
Release Highlights
Release Schedule

HTCondor-CE
Overview
Download
Documentation
Release Highlights

General
News
Security
Documentation
Download

Documentation
HTCondor
HTCondor-CE

Support
HTCSS Contract Support
Community Mailing List
External Support Organizations

Email Lists
Users / Help
World / Announcements

Workshops
Throughput Computing 2024
Materials from past Workshops

HTCSS
What is HTCSS?
Logos

CHTC
Website ⬏
Staff ⬏
Jobs ⬏
Research & Publications ⬏

CVE-2025-30093

Summary:

A user who has an IDToken with restricted authorization could perform some operations that should be denied by those restrictions. They would still be constrained to the authorization levels granted to the IDToken's identity in the HTCondor configuration files.

Component	Vulnerable Versions	Platform	Availability	Fix Available
All daemons	All versions	All platforms	Not known to be publicly exploited	23.0.22, 23.10.22, 24.0.6, 24.6.1
Status	Access Required	Host Type Required	Effort Required	Impact/Consequences
Verified	Access to any daemon with IDToken signing keys	Any host	Low	Medium
Fixed Date	Credit
2025-03-27	Jaime Frey

Access Required: Access to any daemon with IDToken signing keys

An attacker needs an IDToken that can be validated by the targeted daemon (i.e. the daemon has access to the token's sigining key). The attacker does not need to be granted access by the daemon's configured authorization policy.

Effort Required: Low

An attacker does not need to write custom tools.

Impact/Consequences Required: Medium

This attack allows a user to perform all actions to which their HTCondor identity is entitled via daemons' authorization policy. This is the same level of access available when using most other forms of authentication (FS, NTSSPI, SSL, KERBEROS, MUNGE) for the same identity.

Workaround:

You are potentially at risk if you have run any of the following commands:

condor_token_create with the -authz option
condor_token_fetch with the -authz option
condor_token_request with the -authz option
condor_token_request_approve
condor_token_request_auto_approve
condor_scitoken_exchange

If you have not run any of these commands, then your HTCSS systems are not at risk.

Upgrading all HTCondor daemons to version 23.0.22, 23.10.22, 24.0.6 or 24.6.1 fully addresses this vulnerability.

If upgrading isn't possible, you can mitigate this issue by constraining new IDTokens issued by a daemon to have no authorizations. Add this to your configuration files:

SEC_TOKEN_REQUEST_LIMITS = DENY

SEC_ISSUED_TOKEN_EXPIRATION = 0

Note that this will limit all issuance of IDTokens by HTCondor daemons.

If you fear that this vulnerability has already been exploited on your systems, you should replace all of your IDToken signing keys and issue new tokens using the new keys. Also, please email us at htcondor-security@cs.wisc.edu.

Full Details:

Embargoed until future notice.

40 Years of Throughput Computing: A Celebration!

Oral Roberts University Advances Cyberinfrastructure with OSPool Integration

IceCube Neutrino Observatory’s Use of High Throughput Computing: Making Discoveries in Astrophysics Using Neutrinos

Erik Wright: A Biologist Using High Throughput Computing to Unravel Antibiotic Resistance

Collaborations Between Two National Laboratories and the OSG Consortium Propel Nuclear and High-Energy Physics Forward

Learning and adapting with OSG: Investigating the strong nuclear force

What is HTCSS?

HTCONDOR-2025-0001

CVE-2025-30093