CVE-2025-25196: OpenFGA Authorization Bypass
Overview OpenFGA v1.8.4 or previous (Helm chart < openfga-0.2.22, docker < v.1.8.5) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.
Am I Affected? If you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:
- Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type, and
- A type bound public access tuple is assigned to an object, and
- userset tuple is not assigned to the same object, and
- Check request’s user field is a userset that has the same type as the type bound public access tuple’s user type
Fix Upgrade to v1.8.5. This upgrade is backwards compatible.
References
Detect and mitigate CVE-2025-25196 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →