Headline
GHSA-rxpw-85vw-fx87: OpenFGA denial of service
Overview
OpenFGA is vulnerable to a DoS attack. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an “out of memory” error and terminate.
Fix
Upgrade to v1.4.3. This upgrade is backwards compatible.
Package
gomod github.com/openfga/openfga (Go)
Affected versions
< 1.4.3
Patched versions
1.4.3
Description
Overview
OpenFGA is vulnerable to a DoS attack. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an “out of memory” error and terminate.
Fix
Upgrade to v1.4.3. This upgrade is backwards compatible.
References
- GHSA-rxpw-85vw-fx87
- https://nvd.nist.gov/vuln/detail/CVE-2024-23820
- openfga/openfga@908ac85
- https://github.com/openfga/openfga/releases/tag/v1.4.3
miparnisari published to openfga/openfga
Jan 26, 2024
Published by the National Vulnerability Database
Jan 26, 2024
Published to the GitHub Advisory Database
Jan 26, 2024
Reviewed
Jan 26, 2024