CVE-2025-55213
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-18

Last updated on: 2025-08-18

Assigner: GitHub, Inc.

Description
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This vulnerability is fixed in 1.9.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-18
Last Modified
2025-08-18
Generated
2026-05-07
AI Q&A
2025-08-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-55213
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
openfga openfga 1.9.4
openfga openfga 1.9.2
openfga openfga 1.9.3
openfga openfga 1.9.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-55213 is a vulnerability in OpenFGA versions 1.9.3 to 1.9.4 where improper policy enforcement occurs during certain Check and ListObjects API calls. This happens when an authorization model contains a relationship directly assignable by more than one userset of the same type. The system's optimization for userset resolution incorrectly assumes object ID matching in these cases, leading to faulty access checks and potentially allowing unauthorized access. [1, 2]


How can this vulnerability impact me? :

Although the immediate impact on confidentiality, integrity, and availability is rated as none, exploitation of this vulnerability can lead to significant downstream effects with high potential impact on confidentiality, integrity, and availability. This means unauthorized users might gain improper access or permissions, potentially compromising sensitive data or system operations. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying if your OpenFGA deployment is running versions 1.9.3 or 1.9.4 (including Helm charts openfga-0.2.40 to 0.2.41 and Docker images v1.9.3 to v1.9.4). You can check the version of OpenFGA running on your system using commands like `openfga version` or inspecting your Helm chart or Docker image tags. Additionally, monitoring API calls for Check and ListObjects that involve authorization models with relationships directly assignable by more than one userset of the same type may indicate exposure to this vulnerability. However, no specific detection commands for exploit attempts are provided in the resources. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade OpenFGA to version 1.9.5, which contains the fix for this vulnerability and is backward compatible. If upgrading immediately is not possible, a workaround is to downgrade to version 1.9.2 and disable the "enable-check-optimizations" feature by setting the OPENFGA_EXPERIMENTALS environment variable accordingly. These steps prevent the improper policy enforcement caused by the faulty userset optimization. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart