Open Policy Agent (OPA) v1.4.0 Patch Fixes Critical Path Traversal Vulnerability (CVE-2025-46569)

A critical security vulnerability in Open Policy Agent (OPA) has been patched, exposing a path traversal flaw that could allow attackers to bypass policy enforcement and access unauthorized data. The vulnerability, tracked as CVE-2025-46569, resides in the HTTP Data API of OPA when run as a server. By crafting a specific HTTP request path, an attacker can inject a malicious Rego query into the policy evaluation process, potentially leading to unauthorized data access or manipulation.

The flaw specifically affects the mechanism where a virtual document request through the Data API triggers policy evaluation. The system constructs a Rego query from the requested path. A specially crafted path can manipulate this query, exploiting the reference resolution process. This is not a theoretical issue; the GitHub security advisory (GHSA-6m8w-jc87-6cr7) confirms the vulnerability's existence and impact, prompting an immediate major version update from v0.68.0 to v1.4.0 to address it.

The patch is contained within a dependency update PR, highlighting the critical nature of the fix for any system using OPA for authorization and policy decision-making. Organizations relying on OPA, particularly in cloud-native and microservices architectures for security and compliance gates, must prioritize this update. Failure to apply the patch leaves systems vulnerable to a direct bypass of the core security policies OPA is designed to enforce, with significant implications for data integrity and access control.