CVE-2025-25196: Authorization Bypass Vulnerability in OpenFGA Versions Prior to v1.8.4

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Unfortunately, it has recently been discovered that versions of OpenFGA before v1.8.4 (Helm chart < openfga-.2.22, Docker < v.1.8.4) are vulnerable to an authorization bypass issue under certain conditions.

This vulnerability affects users of OpenFGA v1.8.4 or earlier if the following conditions are met

1. Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type.

userset tuple is not assigned to the same object.

4. Check request's user field is a userset that has the same type as the type bound public access tuple's user type.

Here's a code snippet illustrating the occurrence of authorization bypass

def check_auth_bypass(model, object):
    if (
        model.relation.assignable_to_public and
        model.relation.assignable_to_userset and
        check_type_bound_public_access(object) and
        not check_userset_assignment(object) and
}>{    is_same_type_as_public_access()
    ):
        return True
    return False

The vulnerability occurs when an attacker can exploit the conditions to bypass the authorization or permission engine and gain unauthorized access to resources.

Official References

- OpenFGA GitHub Repository: https://github.com/openfga/OpenFGA
- Official Vulnerability Advisory: https://github.com/openfga/OpenFGA/security/advisories/CVE-2025-25196
- Google Zanzibar: https://research.google/pubs/pub48190/

Exploit Details

Currently, there are no known exploits available for this vulnerability. However, attackers are likely to be actively searching for ways to exploit this flaw, so it is essential to patch immediately.

Mitigation and Recommendations

Users of OpenFGA v1.8.4 or older are advised to upgrade to v1.8.5, which is backwards compatible and addresses the vulnerability by enforcing a proper check on the conditions mentioned above. You can upgrade using the following methods:

- Helm chart upgrade: helm upgrade [YOUR_OPENFGA_RELEASE_NAME] openfga/openfga -f [YOUR_CUSTOM_CONFIG] --version .2.23
- Docker image upgrade: docker pull openfga/openfga:v1.8.5

There are no known workarounds for this vulnerability, so the best course of action is to upgrade to the latest version of OpenFGA and continue to monitor any developments related to this issue. Additionally, ensuring secure coding practices and conducting regular security audits can help prevent future vulnerabilities.

In conclusion, CVE-2025-25196 highlights the importance of keeping software up-to-date and being vigilant about potential security issues. Users must upgrade to the latest version of OpenFGA to mitigate this vulnerability and maintain a secure environment for their applications.

Timeline

Published on: 02/19/2025 21:15:15 UTC