How severe is CVE-2025-48371?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2025-48371?

This is classified as CWE-285, which is a common weakness in software security.

CVE-2025-48371 - MEDIUM Severity | CVSS N/A

Vulnerability Description

OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible.

Related Vulnerabilities

CVE-2020-5206

CRITICAL

CVSS:10.0(Critical)

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect give...

CWE-2852020

CVE-2021-31384

CRITICAL

CVSS:10.0(Critical)

Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an ...

CWE-2852021

CVE-2021-37705

CRITICAL

CVSS:10.0(Critical)

OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Direc...

CWE-2852021

CVE-2020-3374

CRITICAL

CVSS:9.9(Critical)

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive informat...

CWE-2852020

CVE-2024-43602

CRITICAL

CVSS:9.9(Critical)

Azure CycleCloud Remote Code Execution Vulnerability

CWE-2852024

CVE-2025-29827

CRITICAL

CVSS:9.9(Critical)

Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.

CWE-2852025