Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/openfga/openfga
  4. ›
  5. CVE-2023-43645

CVE-2023-43645: Loop with Unreachable Exit Condition ('Infinite Loop')

September 28, 2023

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it’s possible for the server to exhaust resources and die. Users are advised to upgrade to v1.3.2 and update any offending models. There are no known workarounds for this vulnerability. Note that for models which contained cycles or a relation definition that has the relation itself in its evaluation path, checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. Users who do not have cyclic models are unaffected.

References

  • github.com/advisories/GHSA-2hm9-h873-pgqh
  • github.com/openfga/openfga/commit/725296025fd81227c89525808652c6acd4a605f6
  • github.com/openfga/openfga/security/advisories/GHSA-2hm9-h873-pgqh
  • nvd.nist.gov/vuln/detail/CVE-2023-43645

Code Behaviors & Features

Detect and mitigate CVE-2023-43645 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.3.2

Fixed versions

  • v1.3.2

Solution

Upgrade to version 1.3.2 or above.

Impact 5.9 MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Learn more about CVSS

Weakness

  • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Source file

go/github.com/openfga/openfga/CVE-2023-43645.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:25 +0000.