平台
go
组件
github.com/open-policy-agent/opa
修复版本
1.4.1
1.4.0
CVE-2025-46569 describes a path injection vulnerability within the OPA server's Data API when using Rego. This flaw allows attackers to inject malicious Rego code into the API, potentially leading to unauthorized access and control over the policy enforcement system. The vulnerability impacts versions of OPA prior to 1.4.0. A fix has been released in version 1.4.0.
The path injection vulnerability in OPA's Data API allows an attacker to craft malicious requests that inject arbitrary Rego code. Successful exploitation could enable an attacker to bypass policy checks, extract sensitive data, or even execute arbitrary code on the server hosting OPA. The blast radius extends to any system relying on OPA for policy enforcement, as compromised policies could affect a wide range of applications and services. This vulnerability is particularly concerning given OPA's use in securing cloud infrastructure, microservices, and other critical systems.
CVE-2025-46569 was publicly disclosed on May 5, 2025. The EPSS score is currently pending evaluation. No public proof-of-concept exploits are currently known, but the nature of the vulnerability suggests a moderate probability of exploitation given sufficient attacker effort. Monitor security advisories and threat intelligence feeds for updates.
Organizations heavily reliant on OPA for policy enforcement, particularly those using it to secure cloud infrastructure, Kubernetes clusters, or microservices architectures, are at significant risk. Environments where the OPA Data API is exposed to untrusted networks are especially vulnerable.
• go / server: Monitor OPA logs for unusual Rego query patterns or errors related to Rego parsing. Look for requests containing suspicious characters or keywords commonly used in Rego code.
journalctl -u opa -f | grep -i "error parsing rego" • generic web: Use curl to test the Data API endpoint with various Rego queries, observing the responses for unexpected behavior or errors.
curl -X POST -d '{\"query\": "// malicious rego code"}' http://<opa_server>/data/querydisclosure
漏洞利用状态
EPSS
0.06% (20% 百分位)
CISA SSVC
The primary mitigation for CVE-2025-46569 is to upgrade to Open Policy Agent version 1.4.0 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation on the Data API to sanitize Rego queries. While not a complete solution, this can reduce the attack surface. Monitor OPA logs for unusual Rego query patterns that might indicate an attempted exploitation. After upgrading, confirm the fix by attempting to inject a known malicious Rego query via the Data API and verifying that it is rejected.
Actualice Open Policy Agent a la versión 1.4.0 o superior. Como alternativa, limite el acceso de red a las APIs RESTful de OPA a `localhost` y/o redes de confianza, a menos que sea necesario para razones de producción. Esto mitiga el riesgo de inyección de código Rego a través de la API de datos.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-46569 is a path injection vulnerability in OPA's Data API affecting versions before 1.4.0. It allows attackers to inject malicious Rego code, potentially bypassing policy enforcement.
You are affected if you are using Open Policy Agent (OPA) versions prior to 1.4.0 and the Data API is exposed.
Upgrade to Open Policy Agent version 1.4.0 or later. As a temporary workaround, implement input validation on the Data API to sanitize Rego queries.
No public exploits are currently known, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official Open Policy Agent security advisories on their website or GitHub repository for the latest information.
上传你的 go.mod 文件,立即知道是否受影响。