CVE-2023-43645
Denial of service from circular relationship definitions in OpenFGA
In short
OpenFGA can crash when processing authorization checks on models with circular relationship definitions, causing the service to become unavailable. This happens because the system gets stuck in an infinite loop trying to evaluate permissions.
Technical detail
The vulnerability exists in OpenFGA's Check operation when authorization models contain circular relationship definitions (CWE-835 - Infinite Loop). An attacker can trigger resource exhaustion on the server by executing Check calls against such models, resulting in denial of service. Mitigation requires upgrading to v1.3.2, which now returns errors instead of evaluating cyclic relationships.
Summary generated and translated by AI from the official description.
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it's possible for the server to exhaust resources and die. Users are advised to upgrade to v1.3.2 and update any offending models. There are no known workarounds for this vulnerability. Note that for models which contained cycles or a relation definition that has the relation itself in its evaluation path, checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. Users who do not have cyclic models are unaffected.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
openfga · openfgaWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →