CVE-2023-43645

Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.3.2

Description OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circular relationship definitions. This can cause the server to exhaust resources and die. Users with models that contain cycles or a relation definition that has the relation itself in its evaluation path will need to update their models, as checks and queries that require evaluation will no longer be evaluated on version 1.3.2 and later, and will return errors instead.

Recommendations For OpenFGA versions prior to 1.3.2, upgrade to version 1.3.2 and update any offending models to remove circular relationships. As a temporary workaround, consider avoiding the use of Check calls against authorization models that contain circular relationship definitions until the issue is resolved. Restrict access to models that contain cycles or a relation definition that has the relation itself in its evaluation path to minimize the risk of exploitation.