CVE-2025-48371

Description

### Overview OpenFGA v1.8.0 to v1.8.12 ( openfga-0.2.16 <= Helm chart <= openfga-0.2.31, v1.8.0 <= docker <= v.1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. ### Am I Affected? If you are using OpenFGA v1.8.0 to v1.8.12, specifically under the following conditions, you are affected by this authorization bypass vulnerability: - Calling Check API or ListObjects with an [authorization model](https://openfga.dev/docs/concepts#what-is-an-authorization-model) that has a relationship directly assignable by both [type bound public access](https://openfga.dev/docs/concepts#what-is-type-bound-public-access) and [userset](https://openfga.dev/docs/modeling/building-blocks/usersets), and - There are check or list object queries with [contextual tuples](https://openfga.dev/docs/interacting/contextual-tuples) for the relationship that can be directly assignable by both [type bound public access](https://openfga.dev/docs/concepts#what-is-type-bound-public-access) and [userset](https://openfga.dev/docs/modeling/building-blocks/usersets), and - Those contextual tuples’s user field is an userset, and - Type bound public access tuples are not assigned to the relationship ### Fix Upgrade to v1.8.13. This upgrade is backwards compatible. ### Acknowledgments OpenFGA would like to thank @udyvish for discovering this vulnerability.

Affected packages (2)

• Go/github.com/openfga/openfga>= 1.8.0, < 1.8.13
• Go/github.com/openfga/openfga>= 1.8.0, < 1.8.13

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-48371
• PATCHhttps://github.com/openfga/openfga
• WEBhttps://github.com/openfga/openfga/commit/e5960d4eba92b723de8ff3a5346a07f50c1379ca
• WEBhttps://github.com/openfga/openfga/security/advisories/GHSA-c72g-53hw-82q7
• WEBhttps://pkg.go.dev/vuln/GO-2025-3707