CVE-2023-45810

MEDIUM

OpenFGA < 1.3.4 - Denial of Service via ListObjects Resource Leak

Title source: llm

Description

OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Affected versions of OpenFGA are vulnerable to a denial of service attack. When a number of `ListObjects` calls are executed, in some scenarios, those calls are not releasing resources even after a response has been sent, and given a sufficient call volume the service as a whole becomes unresponsive. This issue has been addressed in version 1.3.4 and the upgrade is considered backwards compatible. There are no known workarounds for this vulnerability.

References (1)

Core 1

Core References

Third Party Advisory x_refsource_confirm

https://github.com/openfga/openfga/security/advisories/GHSA-hr4f-6jh8-f2vq

Scores

CVSS v3 5.3

EPSS 0.0051

EPSS Percentile 39.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (2)

openfga/openfga < 1.3.4

openfga/openfga 0 - 1.3.4Go

Published Oct 17, 2023

Tracked Since Feb 18, 2026