CVE-2025-61688: Omni vulnerable to information leak via API

The vulnerability in Omni (GHSA-77r9-w39m-9xh5) is an information leak via the API, caused by improper authentication. The analysis of the patches reveals two main areas of weakness that were addressed.

First, the functions isSensitiveResource and isSensitiveSpec in internal/backend/server.go had a critical logic flaw. When they encountered an error while parsing a resource or its specification, they would default to treating the resource as non-sensitive (return false). An attacker could exploit this by sending a malformed request for a sensitive resource. The parsing error would cause the system to misclassify the resource, bypassing authentication checks and potentially leading to an information leak.

Second, the gRPC interceptors AuthConfig.Unary and AuthConfig.Stream in internal/pkg/auth/interceptor/auth_config.go were not correctly enforcing signature verification on incoming API requests. This allowed unauthenticated access to both unary and streaming gRPC endpoints that should have been protected. The patch addresses this by introducing an explicit signature verification step within the interceptors, ensuring that all API calls are authenticated by default. The patch also explicitly makes the GetAuthConfig endpoint public, which was likely the intended behavior all along, while securing all other endpoints.

In summary, the vulnerability was a combination of faulty error handling in resource sensitivity checks and a failure to enforce authentication at the API gateway level. The identified vulnerable functions are the ones that contained these flaws, and their patching was essential to fix the information leak.