CVE-2025-25196

{"id": "CVE-2025-25196", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-19T21:15:15.577", "references": [{"url": "https://github.com/openfga/openfga/commit/0aee4f47e0c642de78831ceb27bb62b116f49588", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openfga/openfga/security/advisories/GHSA-g4v5-6f5p-m38j", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users on OpenFGA v1.8.4 or previous, specifically under the following conditions are affected by this authorization bypass vulnerability: 1. Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type. 2. A type bound public access tuple is assigned to an object. 3. userset tuple is not assigned to the same object. and 4. Check request's user field is a userset that has the same type as the type bound public access tuple's user type. Users are advised to upgrade to v1.8.5 which is backwards compatible. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "OpenFGA es un motor de autorizaci\u00f3n/permiso de alto rendimiento y flexible creado para desarrolladores e inspirado en Google Zanzibar. OpenFGA &lt; v1.8.4 (Helm chart &lt; openfga-0.2.22, docker &lt; v.1.8.4) es vulnerable a la omisi\u00f3n de autorizaci\u00f3n cuando se ejecutan ciertas llamadas Check y ListObject. Los usuarios de OpenFGA v1.8.4 o anteriores, espec\u00edficamente en las siguientes condiciones, se ven afectados por esta vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n: 1. Llamar a la API Check o ListObjects con un modelo que tiene una relaci\u00f3n directamente asignable tanto al acceso p\u00fablico como al conjunto de usuarios con el mismo tipo. 2. Una tupla de acceso p\u00fablico vinculada a un tipo se asigna a un objeto. 3. La tupla de conjunto de usuarios no se asigna al mismo objeto. y 4. El campo de usuario de la solicitud Check es un conjunto de usuarios que tiene el mismo tipo que el tipo de usuario de la tupla de acceso p\u00fablico vinculada a un tipo. Se recomienda a los usuarios que actualicen a la versi\u00f3n 1.8.5, que es compatible con versiones anteriores. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2025-12-31T14:18:13.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD3FD955-667F-46BC-A004-BB16AB5761C6", "versionEndExcluding": "0.2.22"}, {"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BAFEBEA0-CDD3-40E7-B95A-235547BE1127", "versionEndExcluding": "1.8.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}