N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-25196

GHSA ID

GHSA-g4v5-6f5p-m38j

EPSS Score

0.25278%

CWE

CWE-285

Published

2/19/2025

Updated

2/19/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-25196

CVE-2025-25196: OpenFGA Authorization Bypass

Overview OpenFGA v1.8.4 or previous (Helm chart < openfga-0.2.22, docker < v.1.8.5) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected? If you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:

Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type, and
A type bound public access tuple is assigned to an object, and
userset tuple is not assigned to the same object, and
Check request's user field is a userset that has the same type as the type bound public access tuple's user type

Fix Upgrade to v1.8.5. This upgrade is backwards compatible.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-25196

CVE-2025-25196:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-25196

GHSA ID

GHSA-g4v5-6f5p-m38j

EPSS Score

0.25278%

CWE

CWE-285

Published

2/19/2025

Updated

2/19/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/openfga/openfga	go	<= 1.8.4	1.8.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of userset types in public assignable checks. The commit fixes this by adding explicit userset checks in two critical locations:

In check.go's shouldCheckPublicAssignable, where a userset user was previously not excluded from public assignable evaluation.
In reverse_expand.go's logic, where the new shouldCheckPublicAssignable wrapper was added to prevent userset misinterpretation. These functions are central to authorization evaluation, and their lack of userset validation directly enabled the bypass scenario described in the CVE.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-25196: OpenFGA Authorization Bypass

CVE-2025-25196:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

N/A

N/A

CVE-2025-25196: OpenFGA Authorization Bypass

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI