CVE-2025-25196

CVE-2025-25196 is an authorization bypass vulnerability affecting OpenFGA versions prior to v1.8.4, including Helm chart versions before openfga-0.2.22 and Docker images before v1.8.4. OpenFGA is a high-performance authorization and permission engine inspired by Google Zanzibar. The flaw occurs during certain Check and ListObjects API calls when a model has a relation directly assignable to both public access and a userset of the same type, a type-bound public access tuple is assigned to an object, no userset tuple is assigned to the same object, and the Check request's user field is a userset matching the type of the public access tuple's user.

The vulnerability can be exploited by unauthenticated remote attackers with network access to the OpenFGA instance, requiring low complexity and no privileges. By crafting a Check or ListObjects request meeting the specified conditions, attackers can bypass authorization checks, potentially gaining high confidentiality, integrity, and availability impacts as reflected in the CVSS v3.1 base score of 9.8. This allows unauthorized access to sensitive authorization data or objects that should be restricted.

The official security advisory and patch commit recommend upgrading to OpenFGA v1.8.5, which is backwards compatible and addresses the issue. No workarounds are available. Details are provided in the GitHub security advisory at https://github.com/openfga/openfga/security/advisories/GHSA-g4v5-6f5p-m38j and the fixing commit at https://github.com/openfga/openfga/commit/0aee4f47e0c642de78831ceb27bb62b116f49588.