Miggo Logo
Miggo Vulnerability Database
CVE-2024-23820

CVE-2024-23820: OpenFGA denial of service

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-23820
GHSA ID
GHSA-rxpw-85vw-fx87
EPSS Score
0.21683%
CWE
CWE-401
Published
1/26/2024
Updated
2/1/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/openfga/openfgago< 1.4.31.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper resource cleanup in ListObjects handling. The commit fixes show critical changes to channel management patterns:

  1. In list_objects.go, the consumer loop was restructured to handle channel closure properly and added error channel separation
  2. In reverse_expand.go, the Execute function was modified to return errors directly instead of sending through the channel, ensuring proper cleanup
  3. The removal of ReverseExpandResult.Err field indicates a shift in error handling strategy These changes address CWE-401 (memory not released) by ensuring channels are closed and goroutines properly terminated, and CWE-770 (resource limits) through better concurrency control.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Ov*rvi*w Op*n*** is vuln*r**l* to * *oS *tt**k. In som* s**n*rios t**t **p*n* on t** mo**l *n* tupl*s us**, * **ll to ListO*j**ts m*y not r*l**s* m*mory prop*rly. So w**n * su**i*i*ntly *i** num**r o* t*os* **lls *r* *x**ut**, t** Op*n*** s*rv*r

Reasoning

T** vuln*r**ility st*ms *rom improp*r r*sour** *l**nup in ListO*j**ts **n*lin*. T** *ommit *ix*s s*ow *riti**l ***n**s to ***nn*l m*n***m*nt p*tt*rns: *. In list_o*j**ts.*o, t** *onsum*r loop w*s r*stru*tur** to **n*l* ***nn*l *losur* prop*rly *n* **