CVE-2024-42473 – OpenFGA versions 1.5.7 and 1.5.8 contain an aut... (How to Fix)

📋 TL;DR

OpenFGA versions 1.5.7 and 1.5.8 contain an authorization bypass vulnerability when using Check API with models containing 'but not' and 'from' expressions combined with usersets. This allows attackers to bypass intended authorization checks and access unauthorized resources. All deployments using affected versions are vulnerable.

💻 Affected Systems

Products:

OpenFGA

Versions: 1.5.7 and 1.5.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using models with 'but not' and 'from' expressions combined with usersets

📦 What is this software?

Openfga by Openfga

View all CVEs affecting Openfga →

Openfga by Openfga

View all CVEs affecting Openfga →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authorization bypass allowing unauthorized access to all protected resources and data

🟠

Likely Case

Partial authorization bypass enabling access to specific resources that should be restricted

🟢

If Mitigated

Limited impact if proper network segmentation and additional authorization layers exist

🌐 Internet-Facing: HIGH - Internet-facing OpenFGA instances can be directly exploited

🏢 Internal Only: MEDIUM - Requires internal network access but could lead to privilege escalation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires knowledge of the authorization model structure but is straightforward once understood

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available yet

Vendor Advisory: https://github.com/openfga/openfga/security/advisories/GHSA-3f6g-m4hr-59h8

Restart Required: Yes

Instructions:

1. Downgrade to OpenFGA v1.5.6
2. Stop OpenFGA service
3. Install v1.5.6
4. Restart OpenFGA service
5. Verify downgrade completed successfully

🔧 Temporary Workarounds

Downgrade to v1.5.6

all

Downgrade to the last secure version which is backward compatible

docker pull openfga/openfga:v1.5.6
docker-compose down
docker-compose up -d

🧯 If You Can't Patch

Implement additional authorization layer before OpenFGA
Disable or restrict Check API endpoints using network controls

🔍 How to Verify

Check if Vulnerable:

Check OpenFGA version using API endpoint or container image tag

Check Version:

curl -X GET http://localhost:8080/version

Verify Fix Applied:

Confirm version is 1.5.6 or earlier after downgrade

📡 Detection & Monitoring

Log Indicators:

Unusual Check API call patterns
Authorization failures followed by successful access

Network Indicators:

Increased Check API traffic to specific endpoints

SIEM Query:

source="openfga" AND ("Check" OR "authorization") AND status="success" WHERE previous attempts failed

📊 Metadata

CVE ID: CVE-2024-42473

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-863

Published: August 12, 2024

Last Updated: October 1, 2024

🔗 References

https://github.com/openfga/openfga/security/advisories/GHSA-3f6g-m4hr-59h8 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42473, you might also want to check these: