CVE-2025-55213 – OpenFGA versions 1.9.3 to 1.9.4 contain an impr... (How to Fix)

Q: What is the severity of CVE-2025-55213?

CVE-2025-55213 has a CVSS score of 9.8 (CRITICAL). OpenFGA versions 1.9.3 to 1.9.4 contain an improper policy enforcement vulnerability in Check and ListObject calls. This allows attackers to bypass authorization controls and access resources they shouldn't have permission to view or modify. Organizations using OpenFGA for authorization decisions in their applications are affected.

📋 TL;DR

OpenFGA versions 1.9.3 to 1.9.4 contain an improper policy enforcement vulnerability in Check and ListObject calls. This allows attackers to bypass authorization controls and access resources they shouldn't have permission to view or modify. Organizations using OpenFGA for authorization decisions in their applications are affected.

💻 Affected Systems

Products:

OpenFGA

Versions: v1.9.3 to v1.9.4 (Helm chart openfga-0.2.40 to openfga-0.2.41, Docker v1.9.3 to v1.9.4)

Operating Systems: All platforms running OpenFGA

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using affected versions are vulnerable regardless of configuration. The vulnerability is in core authorization logic.

📦 What is this software?

Helm Charts by Openfga

View all CVEs affecting Helm Charts →

Openfga by Openfga

View all CVEs affecting Openfga →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authorization bypass allowing unauthorized access to all protected resources, data exfiltration, privilege escalation, and system compromise.

🟠

Likely Case

Partial authorization bypass leading to unauthorized data access, privilege escalation for specific users, and policy enforcement failures.

🟢

If Mitigated

Limited impact due to defense-in-depth controls, network segmentation, and additional authorization layers catching bypass attempts.

🌐 Internet-Facing: HIGH - OpenFGA is often deployed as an authorization service for web applications, making internet-facing instances prime targets.

🏢 Internal Only: HIGH - Even internal deployments are at risk as attackers could pivot from other compromised systems or malicious insiders could exploit this.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires API access to make Check or ListObject calls, but the vulnerability itself is straightforward to trigger once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.5

Vendor Advisory: https://github.com/openfga/openfga/security/advisories/GHSA-mgh9-4mwp-fg55

Restart Required: Yes

Instructions:

1. Update OpenFGA to version 1.9.5 or later. 2. For Helm deployments: helm upgrade openfga openfga/openfga --version 0.2.42+. 3. For Docker: docker pull openfga/openfga:1.9.5+. 4. Restart all OpenFGA instances. 5. Verify the update with version check commands.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to OpenFGA API endpoints to only trusted services and applications

# Example using iptables: iptables -A INPUT -p tcp --dport 8080 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

Implement additional authorization layer before OpenFGA calls to validate requests independently
Monitor all Check and ListObject API calls for suspicious patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check OpenFGA version via API: curl http://openfga-host:8080/version or check container/process version

Check Version:

curl -s http://localhost:8080/version | grep version

Verify Fix Applied:

Confirm version is 1.9.5 or higher and test authorization policies with known bypass attempts

📡 Detection & Monitoring

Log Indicators:

Unusual patterns in Check/ListObject API calls
Authorization failures followed by successful access
High volume of authorization requests from single sources

Network Indicators:

Unusual traffic to OpenFGA authorization endpoints
Authorization bypass patterns in API requests

SIEM Query:

source="openfga" AND (api_call="Check" OR api_call="ListObjects") AND result="allowed" AND user NOT IN authorized_users

📊 Metadata

CVE ID: CVE-2025-55213

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

EPSS Score: 0.07% exploit probability (21.6th percentile)

Published: August 18, 2025

Last Updated: January 14, 2026

🔗 References

https://github.com/openfga/openfga/commit/1a7e0e37fc4777c824b2386cac4867a66f3480b0 Patch
https://github.com/openfga/openfga/security/advisories/GHSA-mgh9-4mwp-fg55 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55213, you might also want to check these: