CVE-2025-48371 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-48371 PUBLISHED CVSS 5.800000190734863 MEDIUM

OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible.

EPSS 0.10% · 27.8th percentile

Risk Scores

CVSS v4.0

5.800000190734863

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

EPSS Score

0.10%

27.8th percentile

Affected Products

Vendor	Product	Versions
github.com	openfga/openfga	1.8.0, 1.8.0
openfga	helm_charts	0.2.16, 0.2.16
openfga	openfga	>= 1.8.0, < 1.8.13, 1.8.0, >= 1.8.0, < 1.8.13

Timeline

May 22, 2025 CVE Published
May 22, 2025 PoC Published
May 23, 2025 EPSS Score
Jun 3, 2025 EPSS Score
Jun 13, 2025 EPSS Score
Jun 24, 2025 EPSS Score
Jul 4, 2025 EPSS Score
Jul 15, 2025 EPSS Score
Jul 25, 2025 EPSS Score
Aug 5, 2025 EPSS Score
Aug 15, 2025 EPSS Score
Aug 26, 2025 EPSS Score

References

Open in Interactive Console →