CVE-2025-64751

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-64751
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64751.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-64751
Aliases
Downstream
Related
Published
2025-11-21T01:24:32.509Z
Modified
2026-04-02T13:00:09.321309Z
Severity
  • 5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
OpenFGA Improper Policy Enforcement
Details

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1.

Database specific 
{
    "cwe_ids": [
        "CWE-285"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64751.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/openfga/helm-charts

Affected ranges

Type
GIT
Repo
https://github.com/openfga/helm-charts
Events
Introduced
7a85b39891ac9011c92e5f4892893935742f921a
Fixed
743b07b3c726955cac7a1f50d2030727497a1d10
Database specific 
{
    "versions": [
        {
            "introduced": "0.1.34"
        },
        {
            "fixed": "0.2.49"
        }
    ]
}

Affected versions

openfga-0.*
openfga-0.1.34
openfga-0.1.35
openfga-0.1.36
openfga-0.1.37
openfga-0.1.38
openfga-0.1.39
openfga-0.1.40
openfga-0.1.41
openfga-0.2.0
openfga-0.2.1
openfga-0.2.10
openfga-0.2.11
openfga-0.2.12
openfga-0.2.13
openfga-0.2.14
openfga-0.2.15
openfga-0.2.16
openfga-0.2.17
openfga-0.2.18
openfga-0.2.19
openfga-0.2.2
openfga-0.2.20
openfga-0.2.21
openfga-0.2.22
openfga-0.2.23
openfga-0.2.24
openfga-0.2.25
openfga-0.2.26
openfga-0.2.27
openfga-0.2.28
openfga-0.2.29
openfga-0.2.3
openfga-0.2.30
openfga-0.2.31
openfga-0.2.32
openfga-0.2.33
openfga-0.2.34
openfga-0.2.35
openfga-0.2.36
openfga-0.2.37
openfga-0.2.38
openfga-0.2.39
openfga-0.2.4
openfga-0.2.40
openfga-0.2.41
openfga-0.2.42
openfga-0.2.43
openfga-0.2.44
openfga-0.2.45
openfga-0.2.46
openfga-0.2.47
openfga-0.2.48
openfga-0.2.5
openfga-0.2.6
openfga-0.2.7
openfga-0.2.8
openfga-0.2.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64751.json"

Git / github.com/openfga/openfga

Affected ranges

Type
GIT
Repo
https://github.com/openfga/openfga
Events
Introduced
eca56d26cca39d31ec947e79dd851cdd373e1b52
Fixed
f375f50ca602da0596212ba7f915897f2d26f1be

Affected versions

v1.*
v1.10.0
v1.10.1
v1.10.2
v1.10.3
v1.10.4
v1.10.5
v1.11.0
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.4-rc1
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.8.0
v1.8.1
v1.8.10
v1.8.11
v1.8.12
v1.8.13
v1.8.14
v1.8.15
v1.8.16
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.2
v1.9.3
v1.9.4
v1.9.5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64751.json"