ghsa-g4v5-6f5p-m38j
Vulnerability from github
Published
2025-02-19 20:25
Modified
2025-02-19 22:39
Severity ?
5.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
Summary
OpenFGA Authorization Bypass
Details

Overview OpenFGA v1.8.4 or previous (Helm chart < openfga-0.2.22, docker < v.1.8.5) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected? If you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:

  • Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type, and
  • A type bound public access tuple is assigned to an object, and
  • userset tuple is not assigned to the same object, and
  • Check request's user field is a userset that has the same type as the type bound public access tuple's user type

Fix Upgrade to v1.8.5. This upgrade is backwards compatible.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openfga/openfga"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-19T20:25:22Z",
    "nvd_published_at": "2025-02-19T21:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Overview\nOpenFGA v1.8.4 or previous (Helm chart \u003c openfga-0.2.22, docker \u003c v.1.8.5) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.\n\nAm I Affected?\nIf you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:\n\n- Calling Check API or ListObjects with a model that has a relation [directly assignable](https://openfga.dev/docs/concepts#what-is-a-directly-related-user-type) to both [public access](https://openfga.dev/docs/concepts#what-is-type-bound-public-access) AND [userset](https://openfga.dev/docs/concepts#what-is-a-user) with the [same type](https://openfga.dev/docs/concepts#what-is-a-type), and\n- A type bound public access tuple is assigned to an object, and\n- userset tuple is not assigned to the same object, and\n- Check request\u0027s user field is a userset that has the same type as the type bound public access tuple\u0027s user type\n\n\nFix\nUpgrade to v1.8.5. This upgrade is backwards compatible.",
  "id": "GHSA-g4v5-6f5p-m38j",
  "modified": "2025-02-19T22:39:15Z",
  "published": "2025-02-19T20:25:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/security/advisories/GHSA-g4v5-6f5p-m38j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25196"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/commit/0aee4f47e0c642de78831ceb27bb62b116f49588"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openfga/openfga"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenFGA Authorization Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.