x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2025-48371

[GoVulnBot]

Advisory CVE-2025-48371 references a vulnerability in the following Go modules:

Module
github.com/openfga/openfga

Description:
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly a...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-48371
• FIX: openfga/openfga@e5960d4
• WEB: GHSA-c72g-53hw-82q7

Cross references:

• github.com/openfga/openfga appears in 15 other report(s):
  • data/reports/GO-2022-1079.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39340 #1079)
  • data/reports/GO-2022-1080.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39341 #1080)
  • data/reports/GO-2022-1081.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39342 #1081)
  • data/reports/GO-2022-1099.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39352 #1099)
  • data/reports/GO-2022-1179.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-23542 #1179)
  • data/reports/GO-2023-1872.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-35933 #1872)
  • data/reports/GO-2023-2028.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-jcf2-mxr2-gmqp #2028)
  • data/reports/GO-2023-2084.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-43645 #2084)
  • data/reports/GO-2023-2121.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-45810 #2121)
  • data/reports/GO-2024-2477.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-23820 #2477)
  • data/reports/GO-2024-2729.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-31452 #2729)
  • data/reports/GO-2024-3061.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-3f6g-m4hr-59h8 #3061)
  • data/reports/GO-2025-3384.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-32q6-rr98-cjqv #3384)
  • data/reports/GO-2025-3470.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-g4v5-6f5p-m38j #3470)
  • data/reports/GO-2025-3657.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2025-46331 #3657)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openfga/openfga
      vulnerable_at: 1.8.13
summary: CVE-2025-48371 in github.com/openfga/openfga
cves:
    - CVE-2025-48371
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-48371
    - fix: https://github.com/openfga/openfga/commit/e5960d4eba92b723de8ff3a5346a07f50c1379ca
    - web: https://github.com/openfga/openfga/security/advisories/GHSA-c72g-53hw-82q7
source:
    id: CVE-2025-48371
    created: 2025-05-23T00:01:26.762529158Z
review_status: UNREVIEWED