6 matches found
Rego Code Injection
github.com/open-policy-agent/opa is vulnerable to Rego code injection. The vulnerability is due to unsanitized HTTP request paths being used to construct Rego queries during policy evaluation, allowing attackers to inject Rego code...
CVE-2025-46569 OPA server Data API HTTP path injection of Rego
Open Policy Agent OPA is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a singl...
CVE-2025-46569
Summary: CVE-2025-46569 affects Open Policy Agent (OPA) prior to 1.4.0 when run as a server. A HTTP Data API path can be crafted to inject Rego code into the constructed query, enabling potential oracle attacks, incorrect policy decisions, and a DoS via expensive evaluation. Impact: high (policy ...
OPA server Data API HTTP path injection of Rego
Impact When run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used...
GHSA-6M8W-JC87-6CR7 OPA server Data API HTTP path injection of Rego
Impact When run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used...
PT-2025-18710 · Unknown · Open Policy Agent
Name of the Vulnerable Software and Affected Versions: Open Policy Agent OPA versions prior to 1.4.0 Description: The issue concerns the Open Policy Agent OPA, a general-purpose policy engine. In versions prior to 1.4.0, when run as a server, OPA exposes an HTTP Data API. A crafted HTTP request...