CVE-2023-35933

OpenFGA denial of service die to circular relationship

CVSS 5.9 MEDIUMEPSS 0.9%CWE-835

In short

OpenFGA versions 1.1.0 and earlier crash when processing authorization checks or object listings against models with circular relationships, causing the service to become unavailable.

Technical detail

A denial of service vulnerability exists in OpenFGA v1.1.0 and prior when Check or ListObjects API calls are made against authorization models containing circular relationship definitions, triggering infinite loops (CWE-835) that exhaust resources and crash the service. The attack requires the attacker to submit legitimate API calls to a vulnerable OpenFGA instance; no authentication bypass is needed if the API is exposed.

Summary generated and translated by AI from the official description.

OPenFGA is an open source authorization/permission engine built for developers. OpenFGA versions v1.1.0 and prior are vulnerable to a DoS attack when Check and ListObjects calls are executed against authorization models that contain circular relationship definitions. Users are affected by this vulnerability if they are using OpenFGA v1.1.0 or earlier, and if you are executing `Check` or `ListObjects` calls against a vulnerable authorization model. Users are advised to upgrade to version 1.1.1. There are no known workarounds for this vulnerability. Users that do not have circular relationships in their models are not affected.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/commit/087ce392595f3c319ab3028b5089118ea4063452 https://github.com/openfga/openfga/security/advisories/GHSA-hr9r-8phq-5x8j https://openfga.dev/api/service#/Relationship%20Queries/Check https://openfga.dev/api/service#/Relationship%20Queries/ListObjects