How the CVE Works
CVE-2025-XXXX exploits an authorization bypass flaw in OpenFGA versions 1.3.6 to 1.8.10. The vulnerability occurs due to improper validation of Check and ListObject API calls, allowing attackers to bypass access controls under specific conditions. When malformed queries are processed, OpenFGA fails to enforce relationship-based permissions, granting unintended access to protected objects. The flaw stems from a logic error in the evaluation engine, where certain edge cases in tuple evaluations are mishandled. Attackers can craft requests that manipulate store IDs or relation names, tricking the system into returning unauthorized data.
DailyCVE Form:
Platform: OpenFGA
Version: 1.3.6 – 1.8.10
Vulnerability: Auth Bypass
Severity: Critical
Date: 2025-04-30
What Undercode Say:
Exploitation:
1. Craft Malformed Check Request:
POST /stores/{store_id}/check
{"tuple_key":{"user":"user:unauthorized","relation":"view","object":"document:confidential"}}
2. Bypass ListObjects Query:
POST /stores/{store_id}/list-objects
{"type":"document","relation":"view","user":"user:attacker"}
Detection:
1. Log Analysis:
grep -E "Check|ListObjects" /var/log/openfga/audit.log | grep "status=200"
2. Version Check:
docker exec openfga fga version | grep "1.8.10"
Mitigation:
1. Patch Immediately:
helm upgrade openfga openfga/openfga --version 0.2.29
2. Temporary Workaround:
openfga/config.yaml experimental: enable_authorization_checks: true
References:
Note: Monitor logs for unusual Check/ListObjects activity post-patch.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
