CVE-2025-46569

Name of the Vulnerable Software and Affected Versions Open Policy Agent (OPA) versions prior to 1.4.0

Description The issue concerns the Open Policy Agent (OPA), a general-purpose policy engine. In versions prior to 1.4.0, when run as a server, OPA exposes an HTTP Data API. A crafted HTTP request path can inject Rego code into the constructed query used for policy evaluation. Although the evaluation result cannot return other data than what is generated by the requested path, the injected Rego code can be crafted to make the query succeed or fail, potentially leading to oracle attacks or erroneous policy decision results. Additionally, the injected code can be computationally expensive, resulting in a Denial Of Service (DoS) attack.

Recommendations For versions prior to 1.4.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, consider limiting network access to OPA's RESTful APIs to localhost and/or trusted networks, unless necessary for production reasons.