CVE-2024-40627: OpaMiddleware does not filter HTTP OPTIONS requests
HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application.
The maintainer uncertain whether this should be classed as a “bug” or “security issue” – but is erring on the side of “security issue” as an application could reasonably assume OPA controls apply to all HTTP methods, and it bypasses more sophisticated policies.
References
- github.com/advisories/GHSA-5f5c-8rvc-j8wf
- github.com/busykoala/fastapi-opa
- github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py
- github.com/busykoala/fastapi-opa/commit/9458845a6f6f414c0b79587fae83d7f14d74dfb4
- github.com/busykoala/fastapi-opa/security/advisories/GHSA-5f5c-8rvc-j8wf
- nvd.nist.gov/vuln/detail/CVE-2024-40627
Detect and mitigate CVE-2024-40627 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →