CVE-2025-64751

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-64751
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64751.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-64751
Aliases
Downstream
Related
Published
2025-11-21T01:24:32.509Z
Modified
2026-03-23T05:11:29.753364927Z
Severity
  • 5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
OpenFGA Improper Policy Enforcement
Details

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64751.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-285"
    ]
}
References

Affected packages

Git / github.com/openfga/helm-charts

Affected ranges

Type
GIT
Repo
https://github.com/openfga/helm-charts
Events
Introduced
7a85b39891ac9011c92e5f4892893935742f921a
Fixed
743b07b3c726955cac7a1f50d2030727497a1d10
Database specific 
{
    "versions": [
        {
            "introduced": "0.1.34"
        },
        {
            "fixed": "0.2.49"
        }
    ]
}

Affected versions

openfga-0.*
openfga-0.1.34
openfga-0.1.35
openfga-0.1.36
openfga-0.1.37
openfga-0.1.38
openfga-0.1.39
openfga-0.1.40
openfga-0.1.41
openfga-0.2.0
openfga-0.2.1
openfga-0.2.10
openfga-0.2.11
openfga-0.2.12
openfga-0.2.13
openfga-0.2.14
openfga-0.2.15
openfga-0.2.16
openfga-0.2.17
openfga-0.2.18
openfga-0.2.19
openfga-0.2.2
openfga-0.2.20
openfga-0.2.21
openfga-0.2.22
openfga-0.2.23
openfga-0.2.24
openfga-0.2.25
openfga-0.2.26
openfga-0.2.27
openfga-0.2.28
openfga-0.2.29
openfga-0.2.3
openfga-0.2.30
openfga-0.2.31
openfga-0.2.32
openfga-0.2.33
openfga-0.2.34
openfga-0.2.35
openfga-0.2.36
openfga-0.2.37
openfga-0.2.38
openfga-0.2.39
openfga-0.2.4
openfga-0.2.40
openfga-0.2.41
openfga-0.2.42
openfga-0.2.43
openfga-0.2.44
openfga-0.2.45
openfga-0.2.46
openfga-0.2.47
openfga-0.2.48
openfga-0.2.5
openfga-0.2.6
openfga-0.2.7
openfga-0.2.8
openfga-0.2.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64751.json"

Git / github.com/openfga/openfga

Affected ranges

Type
GIT
Repo
https://github.com/openfga/openfga
Events
Introduced
eca56d26cca39d31ec947e79dd851cdd373e1b52
Fixed
f375f50ca602da0596212ba7f915897f2d26f1be

Affected versions

v1.*
v1.10.0
v1.10.1
v1.10.2
v1.10.3
v1.10.4
v1.10.5
v1.11.0
v1.4.0
v1.4.1
v1.4.3
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.8.0
v1.8.1
v1.8.10
v1.8.11
v1.8.12
v1.8.13
v1.8.14
v1.8.15
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.2
v1.9.3
v1.9.4
v1.9.5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64751.json"