CVE-2025-55213

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-55213
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55213.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-55213
Aliases
Published
2025-08-18T19:23:33.684Z
Modified
2026-04-02T12:55:36.299870Z
Severity
  • 5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
OpenFGA Authorization Bypass (Check)
Details

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This vulnerability is fixed in 1.9.5.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55213.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/openfga/helm-charts

Affected ranges

Type
GIT
Repo
https://github.com/openfga/helm-charts
Events
Introduced
87c202e20a7a0a36d21b06461f28bf7c3e4fe19e
Fixed
30f74d8ef3a38e7e6b3d219b1a11b63bee94473f
Database specific 
{
    "versions": [
        {
            "introduced": "0.2.40"
        },
        {
            "fixed": "0.2.42"
        }
    ]
}

Affected versions

openfga-0.*
openfga-0.2.40
openfga-0.2.41

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55213.json"

Git / github.com/openfga/openfga

Affected ranges

Type
GIT
Repo
https://github.com/openfga/openfga
Events
Introduced
29a0aac987d121d37a7bd293a026b9521a8d6b24
Fixed
06115c523f974d385896b159a60fe6e12c41e57d

Affected versions

v1.*
v1.9.3
v1.9.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55213.json"