CVE-2025-48371: 
Wolfi vulnerability analysis and mitigation

OpenFGA, an authorization/permission engine, disclosed a vulnerability (CVE-2025-48371) affecting versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12). The vulnerability was discovered and disclosed on May 22, 2025, involving an authorization bypass when certain Check and ListObject calls are executed (NVD).

The vulnerability occurs under four specific conditions: 1) calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset, 2) there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset, 3) those contextual tuples' user field is a userset, and 4) type bound public access tuples are not assigned to the relationship. The vulnerability has been assigned a CVSS 4.0 Base Score of 5.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H (NVD).

The vulnerability could lead to authorization bypass, potentially allowing unauthorized access to protected resources. The CVSS scoring indicates high potential impact on system confidentiality, integrity, and availability (NVD).

Users are advised to upgrade to OpenFGA version 1.8.13, which contains a patch for this vulnerability. The upgrade is backwards compatible and addresses the authorization bypass issue (GitHub Advisory).