Skip to content

Commit f25e381

Browse files
thatnealpatelgopherbot
thatnealpatel
authored and
gopherbot
committed
data/reports: add GO-2025-3660
 - data/reports/GO-2025-3660.yaml Updates #3660 Change-Id: I970576fb1ef948d0f8e2b2bb360c5dee65fde7d1 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/669935 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Zvonimir Pavlinovic <[email protected]> Auto-Submit: Neal Patel <[email protected]>
1 parent 4596bce commit f25e381

File tree

2 files changed

+94
-0
lines changed

2 files changed

+94
-0
lines changed

data/osv/GO-2025-3660.json

+63
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
{
2+
"schema_version": "1.3.1",
3+
"id": "GO-2025-3660",
4+
"modified": "0001-01-01T00:00:00Z",
5+
"published": "0001-01-01T00:00:00Z",
6+
"aliases": [
7+
"CVE-2025-46569",
8+
"GHSA-6m8w-jc87-6cr7"
9+
],
10+
"summary": "OPA server Data API HTTP path injection of Rego in github.com/open-policy-agent/opa",
11+
"details": "OPA server Data API HTTP path injection of Rego in github.com/open-policy-agent/opa",
12+
"affected": [
13+
{
14+
"package": {
15+
"name": "github.com/open-policy-agent/opa",
16+
"ecosystem": "Go"
17+
},
18+
"ranges": [
19+
{
20+
"type": "SEMVER",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"fixed": "1.4.0"
27+
}
28+
]
29+
}
30+
],
31+
"ecosystem_specific": {
32+
"imports": [
33+
{
34+
"path": "github.com/open-policy-agent/opa/v1/server",
35+
"symbols": [
36+
"Server.makeRego",
37+
"Server.unversionedGetHealthWithPolicy",
38+
"Server.v0QueryPath",
39+
"baseHTTPListener.ListenAndServe",
40+
"baseHTTPListener.ListenAndServeTLS",
41+
"stringPathToDataRef",
42+
"stringPathToRef"
43+
]
44+
}
45+
]
46+
}
47+
}
48+
],
49+
"references": [
50+
{
51+
"type": "ADVISORY",
52+
"url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7"
53+
},
54+
{
55+
"type": "FIX",
56+
"url": "https://github.com/open-policy-agent/opa/commit/ad2063247a14711882f18c387a511fc8094aa79c"
57+
}
58+
],
59+
"database_specific": {
60+
"url": "https://pkg.go.dev/vuln/GO-2025-3660",
61+
"review_status": "REVIEWED"
62+
}
63+
}

data/reports/GO-2025-3660.yaml

+31
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
id: GO-2025-3660
2+
modules:
3+
- module: github.com/open-policy-agent/opa
4+
versions:
5+
- fixed: 1.4.0
6+
vulnerable_at: 1.3.0
7+
packages:
8+
- package: github.com/open-policy-agent/opa/v1/server
9+
symbols:
10+
- Server.unversionedGetHealthWithPolicy
11+
- Server.makeRego
12+
- stringPathToDataRef
13+
- Server.v0QueryPath
14+
- stringPathToRef
15+
derived_symbols:
16+
- baseHTTPListener.ListenAndServe
17+
- baseHTTPListener.ListenAndServeTLS
18+
summary: |-
19+
OPA server Data API HTTP path injection of Rego in
20+
github.com/open-policy-agent/opa
21+
cves:
22+
- CVE-2025-46569
23+
ghsas:
24+
- GHSA-6m8w-jc87-6cr7
25+
references:
26+
- advisory: https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7
27+
- fix: https://github.com/open-policy-agent/opa/commit/ad2063247a14711882f18c387a511fc8094aa79c
28+
source:
29+
id: GHSA-6m8w-jc87-6cr7
30+
created: 2025-05-05T11:20:27.529811-04:00
31+
review_status: REVIEWED

0 commit comments

Comments
 (0)