GHSA-6xvf-4vh9-mw47: Minder does not sandbox http.send in Rego programs

November 20, 2025

Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to (for example, if the Minder server is behind a firewall or other network partition).

References

github.com/advisories/GHSA-6xvf-4vh9-mw47
github.com/mindersec/minder
github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8
github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47

Code Behaviors & Features

Detect and mitigate GHSA-6xvf-4vh9-mw47 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →