CVE-2025-25196
Published: 19 February 2025
Summary
CVE-2025-25196 is a critical-severity Improper Authorization (CWE-285) vulnerability in Openfga Helm Charts. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-25196 by requiring timely identification, reporting, and remediation of the authorization bypass flaw through vendor-recommended upgrade to OpenFGA v1.8.5.
Mandates enforcement of approved authorizations in OpenFGA's Check and ListObjects APIs to prevent bypasses under the specified model, tuple, and userset conditions.
Requires OpenFGA as an authorization decision point to produce valid access control decisions for relations assignable to both public access and matching usersets, countering the bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass vulnerability in a network-accessible OpenFGA service allows unauthenticated remote attackers to exploit the public-facing application via crafted Check/ListObjects API calls to bypass authorization checks.
NVD Description
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users…
more
on OpenFGA v1.8.4 or previous, specifically under the following conditions are affected by this authorization bypass vulnerability: 1. Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type. 2. A type bound public access tuple is assigned to an object. 3. userset tuple is not assigned to the same object. and 4. Check request's user field is a userset that has the same type as the type bound public access tuple's user type. Users are advised to upgrade to v1.8.5 which is backwards compatible. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-25196 is an authorization bypass vulnerability affecting OpenFGA versions prior to v1.8.4, including Helm chart versions before openfga-0.2.22 and Docker images before v1.8.4. OpenFGA is a high-performance authorization and permission engine inspired by Google Zanzibar. The flaw occurs during certain Check and ListObjects API calls when a model has a relation directly assignable to both public access and a userset of the same type, a type-bound public access tuple is assigned to an object, no userset tuple is assigned to the same object, and the Check request's user field is a userset matching the type of the public access tuple's user.
The vulnerability can be exploited by unauthenticated remote attackers with network access to the OpenFGA instance, requiring low complexity and no privileges. By crafting a Check or ListObjects request meeting the specified conditions, attackers can bypass authorization checks, potentially gaining high confidentiality, integrity, and availability impacts as reflected in the CVSS v3.1 base score of 9.8. This allows unauthorized access to sensitive authorization data or objects that should be restricted.
The official security advisory and patch commit recommend upgrading to OpenFGA v1.8.5, which is backwards compatible and addresses the issue. No workarounds are available. Details are provided in the GitHub security advisory at https://github.com/openfga/openfga/security/advisories/GHSA-g4v5-6f5p-m38j and the fixing commit at https://github.com/openfga/openfga/commit/0aee4f47e0c642de78831ceb27bb62b116f49588.
Details
- CWE(s)