CVE-2025-48371
📋 TL;DR
OpenFGA versions 1.8.0 through 1.8.12 contain an authorization bypass vulnerability in Check and ListObject API calls. Attackers can bypass intended permissions when specific conditions are met involving relationship definitions with both type-bound public access and userset assignments. This affects all users running vulnerable OpenFGA deployments with the described authorization model configurations.
💻 Affected Systems
- OpenFGA
- OpenFGA Helm Chart
- OpenFGA Docker
📦 What is this software?
Helm Charts by Openfga
Openfga by Openfga
⚠️ Risk & Real-World Impact
Worst Case
Complete authorization bypass allowing unauthorized access to protected resources and data, potentially leading to data exfiltration, privilege escalation, or system compromise.
Likely Case
Partial authorization bypass enabling unauthorized access to specific resources based on misconfigured relationship definitions, potentially exposing sensitive data.
If Mitigated
Limited impact with proper access controls and monitoring, though authorization logic may still be circumvented in specific scenarios.
🎯 Exploit Status
Exploitation requires specific authorization model configurations and API calls, making it targeted but potentially impactful when conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenFGA 1.8.13, Helm chart openfga-0.2.31, Docker 1.8.13
Vendor Advisory: https://github.com/openfga/openfga/security/advisories/GHSA-c72g-53hw-82q7
Restart Required: Yes
Instructions:
1. Upgrade OpenFGA to version 1.8.13 or later. 2. For Helm deployments, upgrade to chart version openfga-0.2.31 or later. 3. For Docker deployments, use image tag 1.8.13 or later. 4. Restart OpenFGA services after upgrade.
🔧 Temporary Workarounds
Authorization Model Review
allReview and modify authorization models to avoid relationships directly assignable by both type bound public access and userset simultaneously.
🧯 If You Can't Patch
- Review all authorization models and remove relationships with both type bound public access and userset assignments
- Implement additional access controls and monitoring for Check and ListObject API calls
🔍 How to Verify
Check if Vulnerable:
Check OpenFGA version via API or configuration files. If version is between 1.8.0 and 1.8.12 inclusive, system is vulnerable if specific authorization model conditions exist.Check Version:
curl -X GET http://localhost:8080/version (adjust host/port as needed) or check deployment configuration files.Verify Fix Applied:
Verify OpenFGA version is 1.8.13 or later, Helm chart is openfga-0.2.31 or later, or Docker image is 1.8.13 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual Check or ListObject API call patterns
- Authorization failures followed by successful access
- API calls with specific relationship patterns matching vulnerability conditions
Network Indicators:
- Increased Check/ListObject API traffic to vulnerable endpoints
- Unusual authorization request patterns
SIEM Query:
source="openfga" AND (api_call="Check" OR api_call="ListObjects") AND response_code=200 AND user_agent NOT IN [expected_agents]