CVE-2023-35933

Name of the Vulnerable Software and Affected Versions OpenFGA versions v1.1.0 and prior

Description The issue concerns a denial of service attack that can occur when certain Check or ListObjects calls are executed against authorization models containing circular relationship definitions. Users are affected if they are using OpenFGA v1.1.0 or earlier and are executing these calls against a vulnerable authorization model. There are no known workarounds for this issue. Users without circular relationships in their models are not affected.

Recommendations Upgrade to version 1.1.1. If you are not passing an invalid authorization model as a parameter of your Check and ListObjects calls, this upgrade is backwards compatible. Otherwise, OpenFGA v1.1.1 will start returning HTTP 400 status codes on those calls. As a temporary workaround, consider avoiding the execution of Check and ListObjects calls against authorization models that contain circular relationship definitions until the upgrade is applied.