Homepage

Incorrect Authorization Affecting github.com/open-policy-agent/opa/v1/server package, versions <1.4.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Incorrect Authorization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMOPENPOLICYAGENTOPAV1SERVER-9919789
  • published2 May 2025
  • disclosed1 May 2025
  • creditGamray, HyouKa'sh
Report a new vulnerability Found a mistake?

Introduced: 1 May 2025

NewCVE-2025-46569  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

Upgrade github.com/open-policy-agent/opa/v1/server to version 1.4.0 or higher.

Overview

Affected versions of this package are vulnerable to Incorrect Authorization via the HTTP Data API. An attacker can manipulate the Rego code within the query to either cause the server to perform unintended actions or to consume excessive resources, leading to a Denial of Service (DoS).

Note:

This is only exploitable if all of these conditions are met:

  1. OPA is deployed as a standalone server (rather than being used as a Go library);

  2. Network access to OPA's RESTful APIs is not restricted to localhost or trusted networks.

  3. The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.

References

CVSS Base Scores

version 4.0
version 3.1