CVE-2023-43645: 
Wolfi vulnerability analysis and mitigation

OpenFGA, an authorization/permission engine built for developers and inspired by Google Zanzibar, was found to be vulnerable to a denial of service attack. The vulnerability (CVE-2023-43645) affects versions prior to 1.3.2 and occurs when certain Check calls are executed against authorization models containing circular relationship definitions. When such calls are made, the server can exhaust resources and terminate (GitHub Advisory).

The vulnerability stems from improper handling of circular relationship definitions in authorization models. When processing Check calls against models with circular relationships (e.g., where relation definitions reference each other in a loop), the server can enter a resource-exhausting state. The issue is classified with CWE-835 (Loop with Unreachable Exit Condition) and has been assigned a CVSS v3.1 score of 5.9 MEDIUM (NVD).

When exploited, this vulnerability can cause the OpenFGA server to exhaust its resources and terminate, resulting in a denial of service condition. This affects the availability of the authorization service for all users. The impact is particularly significant for systems that rely on OpenFGA for access control decisions (GitHub Advisory).

Users are advised to upgrade to OpenFGA version 1.3.2 or later. This is a breaking change - after upgrading, models containing cycles or relation definitions that have the relation itself in their evaluation path will return errors instead of being evaluated. Users must update their authorization models to remove any circular relationships. Users who do not have cyclic models in their implementation are not affected by this vulnerability (GitHub Advisory).