Vulnerability Description
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openfga | Helm Charts | >= 0.2.16, < 0.2.32 |
| Openfga | Openfga | >= 1.8.0, < 1.8.13 |
Related Weaknesses (CWE)
References
- https://github.com/openfga/openfga/commit/e5960d4eba92b723de8ff3a5346a07f50c1379Patch
- https://github.com/openfga/openfga/security/advisories/GHSA-c72g-53hw-82q7PatchVendor Advisory
FAQ
What is CVE-2025-48371?
CVE-2025-48371 is a vulnerability with a CVSS score of 8.8 (HIGH). OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable ...
How severe is CVE-2025-48371?
CVE-2025-48371 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-48371?
Check the references section above for vendor advisories and patch information. Affected products include: Openfga Helm Charts, Openfga Openfga.