GHSA-32q6-rr98-cjqv

Suggest an improvement
Source
https://github.com/advisories/GHSA-32q6-rr98-cjqv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-32q6-rr98-cjqv/GHSA-32q6-rr98-cjqv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-32q6-rr98-cjqv
Aliases
Related
Published
2025-01-13T19:59:24Z
Modified
2025-01-14T21:08:16Z
Severity
  • 5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
OpenFGA Authorization Bypass
Details

Overview

OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected?

You are affected by this authorization bypass vulnerability if you are using OpenFGA v1.3.8 to v1.8.2, specifically under the following conditions: 1. Calling Check API or ListObjects with a model that uses conditions, and 2. OpenFGA is configured with caching enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED), and 3. Check API call or ListObjects API calls contain contextual tuples that include conditions.

Fix

Upgrade to v1.8.3. This upgrade is backwards compatible.

Database specific
{
    "nvd_published_at": "2025-01-13T22:15:14Z",
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-13T19:59:24Z"
}
References

Affected packages

Go / github.com/openfga/openfga

Package

Name
github.com/openfga/openfga
View open source insights on deps.dev
Purl
pkg:golang/github.com/openfga/openfga

Affected ranges

Type
SEMVER
Events
Introduced
1.3.8
Fixed
1.8.3