CVE-2022-28946
Description
An issue in the component ast/parser.go of Open Policy Agent v0.39.0 causes the application to incorrectly interpret every expression, causing a Denial of Service (DoS) via triggering out-of-range memory access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open Policy Agent v0.39.0 contains a parsing bug in ast/parser.go that causes out-of-range memory access and denial of service via crafted Rego expressions.
Vulnerability
A flaw in the Go file ast/parser.go of Open Policy Agent (OPA) v0.39.0 causes the parser to incorrectly handle crafted expressions involving some or every quantifiers with invalid domain arguments (e.g., some internal.member_2()). The parser transforms some x in xs into internal.member_2(x, xs), and when the expected two or three arguments are missing, it triggers out-of-range memory access, leading to a denial of service. This affects OPA v0.39.0 [1][3][4].
Exploitation
An attacker must craft a Rego policy or data file containing an expression like some internal.member_2() and provide it to an OPA instance that parses the policy. No authentication or special network access is required if the attacker can supply a policy (e.g., via the OPA API or bundled data). The parsing step alone triggers the out-of-bounds access, causing a crash [1][3].
Impact
Successful exploitation results in a denial of service (DoS) as the OPA process crashes upon parsing the malicious expression. No information is disclosed, and no further privilege escalation occurs — the impact is limited to availability of the policy engine [1][3][4].
Mitigation
The fix was merged in pull request #4548 and is available in OPA releases after v0.39.0; users should upgrade to a patched version. No workarounds are documented. The advisory is tracked as GO-2022-0587 in the Go vulnerability database [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/open-policy-agent/opaGo | < 0.40.0 | 0.40.0 |
Affected products
10- Open Policy Agent/Open Policy Agentdescription
- osv-coords9 versionspkg:apk/chainguard/opapkg:apk/wolfi/opapkg:golang/github.com/open-policy-agent/opapkg:rpm/opensuse/starboard&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/trivy&distro=openSUSE%20Tumbleweedpkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP4
< 0.64.1-r1+ 8 more
- (no CPE)range: < 0.64.1-r1
- (no CPE)range: < 0.64.1-r1
- (no CPE)range: < 0.40.0
- (no CPE)range: < 0.15.6-1.1
- (no CPE)range: < 0.30.4-bp153.8.1
- (no CPE)range: < 0.28.0-bp154.2.3.1
- (no CPE)range: < 0.28.0-1.1
- (no CPE)range: < 0.30.4-bp153.8.1
- (no CPE)range: < 0.28.0-bp154.2.3.1
Patches
1e9d3828db670ast/parser: guard against invalid domains for "some" and "every" (#4548)
2 files changed · +24 −1
ast/parser.go+18 −1 modified@@ -897,7 +897,16 @@ func (p *Parser) parseSome() *Expr { if term := p.parseTermInfixCall(); term != nil { if call, ok := term.Value.(Call); ok { switch call[0].String() { - case Member.Name, MemberWithKey.Name: // OK + case Member.Name: + if len(call) != 3 { + p.illegal("illegal domain") + return nil + } + case MemberWithKey.Name: + if len(call) != 4 { + p.illegal("illegal domain") + return nil + } default: p.illegal("expected `x in xs` or `x, y in xs` expression") return nil @@ -972,9 +981,17 @@ func (p *Parser) parseEvery() *Expr { } switch call[0].String() { case Member.Name: // x in xs + if len(call) != 3 { + p.illegal("illegal domain") + return nil + } qb.Value = call[1] qb.Domain = call[2] case MemberWithKey.Name: // k, v in xs + if len(call) != 4 { + p.illegal("illegal domain") + return nil + } qb.Key = call[1] qb.Value = call[2] qb.Domain = call[3]
ast/parser_test.go+6 −0 modified@@ -785,6 +785,10 @@ func TestSomeDeclExpr(t *testing.T) { }, With: []*With{{Value: ArrayTerm(), Target: NewTerm(MustParseRef("input"))}}, }, opts) + + assertParseErrorContains(t, "invalid domain (internal.member_2)", "some internal.member_2()", "illegal domain", opts) + assertParseErrorContains(t, "invalid domain (internal.member_3)", "some internal.member_3()", "illegal domain", opts) + } func TestEvery(t *testing.T) { @@ -851,6 +855,8 @@ func TestEvery(t *testing.T) { "unexpected ident token: expected \\n or ; or }\n\tevery x\n", // this asserts that the tail of the error message doesn't contain a hint ) + assertParseErrorContains(t, "invalid domain (internal.member_2)", "every internal.member_2()", "illegal domain", opts) + assertParseErrorContains(t, "invalid domain (internal.member_3)", "every internal.member_3()", "illegal domain", opts) } func TestNestedExpressions(t *testing.T) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-x7f3-62pm-9p38ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28946ghsaADVISORY
- github.com/open-policy-agent/opa/commit/e9d3828db670cbe11129885f37f08cbf04935264ghsax_refsource_MISCWEB
- github.com/open-policy-agent/opa/pull/4548ghsaWEB
- pkg.go.dev/vuln/GO-2022-0587ghsaWEB
News mentions
0No linked articles in our index yet.