x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2025-25196 #3471

GoVulnBot · 2025-02-19T22:01:18Z

Advisory CVE-2025-25196 references a vulnerability in the following Go modules:

Module
github.com/openfga/openfga

Description:
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users on OpenFGA v1.8.4 or previous, specifically under the following conditions are affected by this authorization bypass vulnerability: 1. Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type. 2. A type bound public access tu...

References:

ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-25196
FIX: openfga/openfga@0aee4f4
WEB: GHSA-g4v5-6f5p-m38j

Cross references:

github.com/openfga/openfga appears in 13 other report(s):
- data/reports/GO-2022-1079.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39340 #1079)
- data/reports/GO-2022-1080.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39341 #1080)
- data/reports/GO-2022-1081.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39342 #1081)
- data/reports/GO-2022-1099.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39352 #1099)
- data/reports/GO-2022-1179.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-23542 #1179)
- data/reports/GO-2023-1872.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-35933 #1872)
- data/reports/GO-2023-2028.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-jcf2-mxr2-gmqp #2028)
- data/reports/GO-2023-2084.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-43645 #2084)
- data/reports/GO-2023-2121.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-45810 #2121)
- data/reports/GO-2024-2477.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-23820 #2477)
- data/reports/GO-2024-2729.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-31452 #2729)
- data/reports/GO-2024-3061.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-3f6g-m4hr-59h8 #3061)
- data/reports/GO-2025-3384.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-32q6-rr98-cjqv #3384)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openfga/openfga
      vulnerable_at: 1.8.5
summary: CVE-2025-25196 in github.com/openfga/openfga
cves:
    - CVE-2025-25196
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-25196
    - fix: https://github.com/openfga/openfga/commit/0aee4f47e0c642de78831ceb27bb62b116f49588
    - web: https://github.com/openfga/openfga/security/advisories/GHSA-g4v5-6f5p-m38j
source:
    id: CVE-2025-25196
    created: 2025-02-19T22:01:17.872670743Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

thatnealpatel · 2025-02-21T19:06:32Z

Duplicate of #3470

GoVulnBot added cve-year-2025 NeedsTriage labels Feb 19, 2025

thatnealpatel added duplicate triaged and removed NeedsTriage labels Feb 21, 2025

thatnealpatel marked this as a duplicate of #3470 Feb 21, 2025

thatnealpatel closed this as completed Feb 21, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2025-25196 #3471

x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2025-25196 #3471

GoVulnBot commented Feb 19, 2025

thatnealpatel commented Feb 21, 2025

x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2025-25196 #3471

x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2025-25196 #3471

Comments

GoVulnBot commented Feb 19, 2025

thatnealpatel commented Feb 21, 2025