x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-g4v5-6f5p-m38j

[GoVulnBot]

Advisory GHSA-g4v5-6f5p-m38j references a vulnerability in the following Go modules:

Module
github.com/openfga/openfga

Description:
Overview
OpenFGA v1.8.4 or previous (Helm chart < openfga-0.2.22, docker < v.1.8.5) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected?
If you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:

• Calling Check API or ListObjects with a model that has a relation directly assignable to both public access A...

References:

• ADVISORY: GHSA-g4v5-6f5p-m38j
• ADVISORY: GHSA-g4v5-6f5p-m38j
• FIX: openfga/openfga@0aee4f4

Cross references:

• github.com/openfga/openfga appears in 13 other report(s):
  • data/reports/GO-2022-1079.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39340 #1079)
  • data/reports/GO-2022-1080.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39341 #1080)
  • data/reports/GO-2022-1081.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39342 #1081)
  • data/reports/GO-2022-1099.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-39352 #1099)
  • data/reports/GO-2022-1179.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2022-23542 #1179)
  • data/reports/GO-2023-1872.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-35933 #1872)
  • data/reports/GO-2023-2028.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-jcf2-mxr2-gmqp #2028)
  • data/reports/GO-2023-2084.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-43645 #2084)
  • data/reports/GO-2023-2121.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2023-45810 #2121)
  • data/reports/GO-2024-2477.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-23820 #2477)
  • data/reports/GO-2024-2729.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: CVE-2024-31452 #2729)
  • data/reports/GO-2024-3061.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-3f6g-m4hr-59h8 #3061)
  • data/reports/GO-2025-3384.yaml (x/vulndb: potential Go vuln in github.com/openfga/openfga: GHSA-32q6-rr98-cjqv #3384)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openfga/openfga
      non_go_versions:
        - introduced: TODO (earliest fixed "1.8.5", vuln range "<= 1.8.4")
      vulnerable_at: 1.8.5
summary: OpenFGA Authorization Bypass in github.com/openfga/openfga
cves:
    - CVE-2025-25196
ghsas:
    - GHSA-g4v5-6f5p-m38j
references:
    - advisory: https://github.com/advisories/GHSA-g4v5-6f5p-m38j
    - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-g4v5-6f5p-m38j
    - fix: https://github.com/openfga/openfga/commit/0aee4f47e0c642de78831ceb27bb62b116f49588
source:
    id: GHSA-g4v5-6f5p-m38j
    created: 2025-02-19T21:01:19.145555034Z
review_status: UNREVIEWED