The Digital Security Authority (DSA) wants to bring to your attention a vulnerability affecting Open Policy Agent.
Technical Details
CVE-2025-46569 is a high-severity vulnerability in Open Policy Agent (OPA) versions prior to 1.4.0 that allows attackers to inject Rego policy code through specially crafted HTTP Data API request paths. This can result in unauthorized policy behavior, potential data leakage, or denial of service. The issue has been fixed in OPA version 1.4.0, and users are strongly advised to upgrade immediately and restrict access to the OPA API.
The vulnerability lies in how Open Policy Agent (OPA) handles HTTP Data API paths. In affected versions (prior to 1.4.0), the request path is not properly sanitized before being processed in policy evaluation. This allows an attacker to inject Rego code via the URL path, potentially altering policy behavior or executing unintended logic.
The core issue stems from insufficient input validation, enabling injection into dynamically generated Rego queries. This could be exploited to craft malicious queries that:
• Bypass intended policy checks
• Leak sensitive decision-making data (oracle attacks)
• Consume excessive resources (DoS)
Affected Products:
All versions prior to 1.4.0
Recommendations
To resolve CVE-2025-46569, users should upgrade Open Policy Agent (OPA) to version 1.4.0 or later, which addresses the vulnerability by properly sanitizing request paths. It is also recommended to restrict access to the OPA Data API to trusted networks, enforce strict authorization policies, and avoid including untrusted input in request paths.
References
The information presented in this report is based on available data up to the 2nd of May2025.