CVE-2025-64751
📋 TL;DR
OpenFGA versions 1.4.0 to 1.11.0 have an improper policy enforcement vulnerability in Check and ListObject calls. This allows attackers to bypass authorization controls and access resources they shouldn't have permission to view or modify. All deployments using affected versions are vulnerable unless patched.
💻 Affected Systems
- OpenFGA
📦 What is this software?
Helm Charts by Openfga
Openfga by Openfga
⚠️ Risk & Real-World Impact
Worst Case
Complete authorization bypass allowing unauthorized access to sensitive data, privilege escalation, or data manipulation across all protected resources.
Likely Case
Partial authorization bypass enabling unauthorized access to specific resources or actions that should be restricted by policy.
If Mitigated
Limited impact if proper network segmentation, monitoring, and least privilege principles are already implemented.
🎯 Exploit Status
Exploitation requires understanding of OpenFGA's authorization model and making specific Check/ListObject calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.1
Vendor Advisory: https://github.com/openfga/openfga/security/advisories/GHSA-2c64-vmv2-hgfc
Restart Required: Yes
Instructions:
1. Update OpenFGA to version 1.11.1 or later. 2. For Helm: Update chart to openfga-0.2.49+. 3. For Docker: Use openfga/openfga:v1.11.1 or later. 4. Restart all OpenFGA services.
🔧 Temporary Workarounds
Temporary access restriction
allImplement network-level restrictions to limit who can make Check/ListObject calls to OpenFGA
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OpenFGA from untrusted networks
- Increase monitoring and alerting on authorization failures and unusual Check/ListObject patterns
🔍 How to Verify
Check if Vulnerable:
Check OpenFGA version via API endpoint or container image tag. If version is between 1.4.0 and 1.11.0 inclusive, it's vulnerable.Check Version:
curl -X GET http://openfga-host:8080/version or check container image tagVerify Fix Applied:
Confirm version is 1.11.1 or later. Test authorization policies to ensure proper enforcement.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of Check/ListObject calls
- Authorization failures followed by successful access
- Requests bypassing expected policy constraints
Network Indicators:
- Increased volume of Check/ListObject API calls
- Unusual source IPs making authorization requests
SIEM Query:
source="openfga" AND (event_type="check" OR event_type="listobjects") | stats count by user, resource, result