Johanneslarsson

**Name of the Vulnerable Software and Affected Versions** Open Policy Agent (OPA) versions prior to 0.37.2 **Description** Pretty-printing an abstract syntax tree (AST) that contains synthetic nodes can change the logic of some statements by reordering array literals. This issue affects policies that parse and compare web paths. Three conditions must be met to create an adverse effect: 1. An AST of Rego had to be created programmatically such that it ends up containing terms without a location (such as wildcard variables). 2. The AST had to be pretty-printed using the `github.com/open-policy-agent/opa/format` package. 3. The result of the pretty-printing had to be parsed and evaluated again via an OPA instance using the bundles, or the Golang packages. Notably, all three conditions would be true if using optimized bundles, i.e., bundles created with `opa build -O=1` or higher. **Recommendations** To resolve the issue, update to version 0.37.2 or later. As a temporary workaround, consider disabling optimization when creating bundles by not using the `-O=1` flag or higher with the `opa build` command.