{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-46569", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-24T21:10:48.175Z", "datePublished": "2025-05-01T19:32:47.988Z", "dateUpdated": "2025-05-02T18:08:19.750Z"}, "containers": {"cna": {"title": "OPA server Data API HTTP path injection of Rego", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7"}, {"name": "https://github.com/open-policy-agent/opa/commit/ad2063247a14711882f18c387a511fc8094aa79c", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/commit/ad2063247a14711882f18c387a511fc8094aa79c"}], "affected": [{"vendor": "open-policy-agent", "product": "opa", "versions": [{"version": "< 1.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-01T19:32:47.988Z"}, "descriptions": [{"lang": "en", "value": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA\u2019s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons."}], "source": {"advisory": "GHSA-6m8w-jc87-6cr7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-02T18:08:05.851856Z", "id": "CVE-2025-46569", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T18:08:19.750Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46569", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-02T18:08:05.851856Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T18:08:14.174Z"}}], "cna": {"title": "OPA server Data API HTTP path injection of Rego", "source": {"advisory": "GHSA-6m8w-jc87-6cr7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "open-policy-agent", "product": "opa", "versions": [{"status": "affected", "version": "< 1.4.0"}]}], "references": [{"url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7", "name": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/open-policy-agent/opa/commit/ad2063247a14711882f18c387a511fc8094aa79c", "name": "https://github.com/open-policy-agent/opa/commit/ad2063247a14711882f18c387a511fc8094aa79c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA\u2019s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-01T19:32:47.988Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46569", "state": "PUBLISHED", "dateUpdated": "2025-05-02T18:08:19.750Z", "dateReserved": "2025-04-24T21:10:48.175Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-01T19:32:47.988Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA\u2019s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons."}, {"lang": "es", "value": "Open Policy Agent (OPA) es un motor de pol\u00edticas de c\u00f3digo abierto y prop\u00f3sito general. Antes de la versi\u00f3n 1.4.0, al ejecutarse como servidor, OPA expon\u00eda una API de datos HTTP para leer y escribir documentos. Solicitar un documento virtual a trav\u00e9s de la API de datos implicaba la evaluaci\u00f3n de pol\u00edticas, donde se generaba una consulta Rego con una \u00fanica referencia al documento de datos a partir de la ruta solicitada. Esta consulta se utiliza para la evaluaci\u00f3n de pol\u00edticas. Una ruta de solicitud HTTP puede configurarse de forma que inyecte c\u00f3digo Rego en la consulta construida. El resultado de la evaluaci\u00f3n no puede devolver datos distintos a los generados por la ruta solicitada, pero esta puede desviarse y el c\u00f3digo Rego inyectado puede configurarse para que la consulta tenga \u00e9xito o fracase, lo que expone a ataques de or\u00e1culo o, en las circunstancias adecuadas, a decisiones de pol\u00edtica err\u00f3neas. Adem\u00e1s, el c\u00f3digo inyectado puede configurarse para que sea computacionalmente costoso, lo que resulta en un ataque de denegaci\u00f3n de servicio (DoS). Este problema se ha corregido en la versi\u00f3n 1.4.0. Una soluci\u00f3n alternativa implica que el acceso de red a las API RESTful de OPA se limite a `localhost` y/o redes confiables, a menos que sea necesario por razones de producci\u00f3n."}], "id": "CVE-2025-46569", "lastModified": "2025-05-02T13:52:51.693", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-01T20:15:37.887", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/open-policy-agent/opa/commit/ad2063247a14711882f18c387a511fc8094aa79c"}, {"source": "security-advisories@github.com", "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/open-policy-agent/opa/server: github.com/open-policy-agent/opa/v1/server: OPA server Data API HTTP path injection of Rego", "id": "2363571", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363571"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "status": "draft"}, "cwe": "(CWE-863|CWE-94)", "details": ["No description is available for this CVE."], "name": "CVE-2025-46569", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-validation-rhel9", "product_name": "Migration Toolkit for Virtualization"}], "public_date": "2025-05-01T19:32:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-46569\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-46569\nhttps://github.com/open-policy-agent/opa/commit/ad2063247a14711882f18c387a511fc8094aa79c\nhttps://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7"], "threat_severity": "Important"}