Azure Linux 3.0 Security Update: opa (CVE-2025-46569)

🗓️ 22 Jan 2026 00:00:00Reported by TenableType

Azure Linux 3.0 host runs OPA before 1.4.0; Rego injection and DoS risk; upgrade to 1.4.0 and restrict API access.

Reporter	Title	Published	Views	Family All 79
CBLMariner	CVE-2025-46569 affecting package opa for versions less than 0.63.0-2	10 Jul 202515:09	–	cbl_mariner
Chainguard	CVE-2025-46569 vulnerabilities	6 May 202513:14	–	cgr
Circl	CVE-2025-46569	1 May 202520:16	–	circl
CNNVD	Open Policy Agent 安全漏洞	1 May 202500:00	–	cnnvd
CVE	CVE-2025-46569	1 May 202519:32	–	cve
Cvelist	CVE-2025-46569 OPA server Data API HTTP path injection of Rego	1 May 202519:32	–	cvelist
Debian CVE	CVE-2025-46569	1 May 202519:32	–	debiancve
EUVD	EUVD-2025-12838	3 Oct 202520:07	–	euvd
Github Security Blog	OPA server Data API HTTP path injection of Rego	1 May 202517:02	–	github
Microsoft CVE	OPA server Data API HTTP path injection of Rego	11 Jul 202507:00	–	mscve

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-46569
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(295644);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/22");

  script_cve_id("CVE-2025-46569");

  script_name(english:"Azure Linux 3.0 Security Update: opa (CVE-2025-46569)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Azure Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of opa installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected
by a vulnerability as referenced in the CVE-2025-46569 advisory.

  - Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run
    as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document
    through the Data API entails policy evaluation, where a Rego query containing a single data document
    reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP
    request path can be crafted in a way that injects Rego code into the constructed query. The evaluation
    result cannot be made to return any other data than what is generated by the requested path, but this path
    can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening
    up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore,
    the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS)
    attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA's
    RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production
    reasons. (CVE-2025-46569)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2025-46569");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:H/SI:H/SA:H");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-46569");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/05/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:opa");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:opa-debuginfo");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:microsoft:azure_linux");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Azure Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AzureLinux/release", "Host/AzureLinux/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item('Host/AzureLinux/release');
if (isnull(release) || 'Azure Linux' >!< release) audit(AUDIT_OS_NOT, 'Azure Linux');
var os_ver = pregmatch(pattern: "Azure Linux ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Azure Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Azure Linux 3.0', 'Azure Linux ' + os_ver);

if (!get_kb_item('Host/AzureLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu)
  audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Azure Linux', cpu);

var pkgs = [
    {'reference':'opa-0.63.0-2.azl3', 'cpu':'aarch64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'opa-0.63.0-2.azl3', 'cpu':'x86_64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'opa-debuginfo-0.63.0-2.azl3', 'cpu':'aarch64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'opa-debuginfo-0.63.0-2.azl3', 'cpu':'x86_64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'Azure Linux ' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'opa / opa-debuginfo');
}

22 Jan 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 47.4

EPSS0.0036

SSVC