Search
Free Cyber Assessment

published date: May 22, 2025

CVE-2025-48371 : Authorization Bypass Vulnerability

Description

OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible.
  • CVSS:5.8 [Critical]
  • EPSS:0.00%
  • Exploitability:0
  • In KEV:No

Question to Ask Vendors:

  1. Can you confirm whether your systems are affected by CVE-2025-48371, and if so, what steps are you currently taking to mitigate this vulnerability?
  2. What is your estimated timeline for fully resolving CVE-2025-48371 in your products or services, and how will you communicate updates on this issue to us as your customer?

READY TO GET RESULTS YOU CAN TRUST?

Get a Demo Contact Sales