OpenFGA授权旁路CHECK漏洞CVE-2025-55213

OpenFGA 是面向开发人员的高性能、灵活可扩展开源授权系统，允许为任何类型的应用程序实施授权，并随着复杂性的增加而平稳发展。

一、基本情况

OpenFGA是一个高性能、灵活授权/权限引擎，专为开发者构建，灵感源于Google的Zanzibar，依赖 Relationship-Based Access Control。

OpenFGA是一个开源的函数网格(Function Governance)工具,用于管理微服务架构中的功能调用，使用两种不同的语法来定义授权模型。

OpenFGA 服务通过确定对象和用户之间是否存在关系来回答授权检查，简单而言检查时候将引用用户的授权模型与授权权限的关系元组。

栋科技漏洞库关注到在OpenFGA 受影响版本中存在一个策略执行不当的漏洞，该漏洞已被追踪为CVE-2025-55213，CVSS 4.0评分5.8。

二、漏洞分析

CVE-2025-55213漏洞位于OpenFGA v1.9.3至v1.9.4（Helm图表版本从openfga-0.2.40至openfga-0.2.41，Docker从v1.9.3至v1.9.4）中。

OpenFGA v1.9.3至v1.9.4（OpenFGA-0.2.40<=Helm chart<=OpenFGA-0.23.41，v1.9.3<=docker<=v.1.9.4）易受到不当策略执行的影响。

当执行特定的Check和ListObject调用时，存在策略执行不当的漏洞，该漏洞已在1.9.5版本中修复。

如果使用OpenFGA v1.9.3至v1.9.4，特别是在以下前提条件下，您将受到此漏洞的影响：

使用授权模型调用Check API或ListObjects，该授权模型具有可由1个以上相同类型的用户集直接分配的关系；

并且有依赖于上述关系的检查或列表对象查询，以及您有分配给上述关系的用户集元组

用户升级到v1.9.5，即可修复该漏洞，且此升级是向后兼容的。

如果无法通过升级方案修复，则可以使用变通方案，降级到v1.9.2，并从OPENFGA_EXPERIMENTALS中删除启用检查优化。

漏洞代码如下：

Lines changed: 2 additions & 0 deletions

Original file line number    Diff line number    Diff line change
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
Try to keep listed changes to a concise bulleted list of simple explanations of changes. Aim for the amount of information needed so that readers can understand where they would look in the codebase to investigate the changes' implementation, or where they would look in the documentation to understand how to make use of the change in practice - better yet, link directly to the docs and provide detailed information there. Only elaborate if doing so is required to avoid peaking changes or experimental features from ruining someone's day.

## [Unreleased]
### Fixed
- Do not run weight 2 optimization for cases where there are more than 1 directly assignable userset. [#2643](https://github.com/openfga/openfga/pull/2643)

## [1.9.4] - 2025-08-13
### Fixed
‎assets/tests/consolidated_1_1_tests.yaml

Lines changed: 52 additions & 0 deletions
Original file line number    Diff line number    Diff line change
@@ -10435,4 +10435,56 @@ tests:
              user: user:jdoe
              relation: can_access
              object: deployment:1
            expectation: false
  - name: weight_2_more_than_one_userset_assignable
    stages:
      - model: |
          model
            schema 1.1
          type user
          type scope
            relations
              define public: [user:*]
              define verified: [user]
          type resource
            relations
              define access: [scope#public, scope#verified]
        tuples:
          - user: scope:A#verified
            relation: access
            object: resource:1
          - user: user:*
            relation: public
            object: scope:A
        checkAssertions:
          - tuple:
              user: user:bob
              relation: access
              object: resource:1
            expectation: false
  - name: weight_infinite_more_than_one_userset_assignable
    stages:
      - model: |
          model
            schema 1.1
          type user
          type scope
            relations
              define public: [user:*, scope#public]
              define verified: [user, scope#verified]
          type resource
            relations
              define access: [scope#public, scope#verified]
        tuples:
          - user: scope:A#verified
            relation: access
            object: resource:1
          - user: user:*
            relation: public
            object: scope:A
        checkAssertions:
          - tuple:
              user: user:bob
              relation: access
              object: resource:1
            expectation: false
‎internal/graph/check.go

Lines changed: 4 additions & 1 deletion
Original file line number    Diff line number    Diff line change
@@ -745,7 +745,10 @@ func (c *LocalChecker) checkDirect(parentctx context.Context, req *ResolveCheckR
            userType := tuple.GetType(reqTupleKey.GetUser())

            if !isUserset {
                if typesys.UsersetUseWeight2Resolver(objectType, relation, userType, directlyRelatedUsersetTypes) {
                if len(directlyRelatedUsersetTypes) < 2 && typesys.UsersetUseWeight2Resolver(objectType, relation, userType, directlyRelatedUsersetTypes) {
                    // If there are more than 1 directly related userset types of the same type, we cannot do userset optimization because
                    // we cannot rely on the fact that the object ID matches. Instead, we need to take into consideration
                    // on the relation as well.
                    resolver = c.weight2Userset
                    span.SetAttributes(attribute.String("resolver", "weight2"))
                } else if typesys.UsersetUseRecursiveResolver(objectType, relation, userType) {

三、影响范围

OpenFGA-0.2.40 <= Helm chart <= OpenFGA-0.23.41

v1.9.3 <= docker <= v.1.9.4

四、修复建议

openfga >= 1.9.

五、参考链接

管理员已设置登录后刷新可查看