CVE-2024-40627

Advisory

FastAPI OPA includes a security issue where HTTP `OPTIONS` requests are unconditionally allowed by `OpaMiddleware`, even when they lack authentication. These requests bypass policy evaluation and are forwarded directly to the application. This behavior can allow an unauthenticated attacker to determine the existence of entities within the application based on different responses to HTTP `OPTIONS` requests. For instance, responses might indicate whether an entity is writable at a system level. At present, there are no identified workarounds for this vulnerability.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-5f5c-8rvc-j8wf
• https://github.com/busykoala/fastapi-opa/commit/9458845a6f6f414c0b79587fae83d7f14d74dfb4
• https://github.com/busykoala/fastapi-opa/commit/9588109ff651f7ffc92687129c4956126443fb8c
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40627