Vulnerability Details CVE-2025-48371
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 5.8%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2025-48371
-
cpe:2.3:a:openfga:helm_charts:0.2.16
-
cpe:2.3:a:openfga:helm_charts:0.2.17
-
cpe:2.3:a:openfga:helm_charts:0.2.18
-
cpe:2.3:a:openfga:helm_charts:0.2.19
-
cpe:2.3:a:openfga:helm_charts:0.2.20
-
cpe:2.3:a:openfga:helm_charts:0.2.21
-
cpe:2.3:a:openfga:helm_charts:0.2.22
-
cpe:2.3:a:openfga:helm_charts:0.2.23
-
cpe:2.3:a:openfga:helm_charts:0.2.24
-
cpe:2.3:a:openfga:helm_charts:0.2.25
-
cpe:2.3:a:openfga:helm_charts:0.2.26
-
cpe:2.3:a:openfga:helm_charts:0.2.27
-
cpe:2.3:a:openfga:helm_charts:0.2.28
-
cpe:2.3:a:openfga:helm_charts:0.2.29
-
cpe:2.3:a:openfga:helm_charts:0.2.30
-
cpe:2.3:a:openfga:helm_charts:0.2.31
-
cpe:2.3:a:openfga:openfga:1.8.0
-
cpe:2.3:a:openfga:openfga:1.8.1
-
cpe:2.3:a:openfga:openfga:1.8.10
-
cpe:2.3:a:openfga:openfga:1.8.11
-
cpe:2.3:a:openfga:openfga:1.8.12
-
cpe:2.3:a:openfga:openfga:1.8.2
-
cpe:2.3:a:openfga:openfga:1.8.3
-
cpe:2.3:a:openfga:openfga:1.8.4
-
cpe:2.3:a:openfga:openfga:1.8.5
-
cpe:2.3:a:openfga:openfga:1.8.6
-
cpe:2.3:a:openfga:openfga:1.8.7
-
cpe:2.3:a:openfga:openfga:1.8.8
-
cpe:2.3:a:openfga:openfga:1.8.9