Summary
Overview
OpenFGA is vulnerable to a DoS attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it's possible for the server to exhaust resources and die.
Am I Affected?
Yes, if your store contains an authorization model that allows circular relationships. For example, with this model:
model
schema 1.1
type user
type group
relations
define memberA: [user] or memberB or memberC or memberD or memberE
define memberB: [user] or memberA or memberC or memberD or memberE
define memberC: [user] or memberA or memberB or memberD or memberE
define memberD: [user] or memberA or memberB or memberC or memberE
define memberE: [user] or memberA or memberB or memberC or memberD
This Check: (user:anne, memberA, group:X) can exhaust memory in the server.
Impact
CVE-2023-43645 has a CVSS score of 5.9 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.3.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Upgrade to v1.3.2 and update any offending models.
[BREAKING] If your model contained cycles or a relation definition that has the relation itself in its evaluation path, then Checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. You will need to update your models to remove the cycles.
Frequently Asked Questions
- What is CVE-2023-43645? CVE-2023-43645 is a medium-severity security vulnerability in github.com/openfga/openfga (go), affecting versions < 1.3.2. It is fixed in 1.3.2.
- How severe is CVE-2023-43645? CVE-2023-43645 has a CVSS score of 5.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/openfga/openfga are affected by CVE-2023-43645? github.com/openfga/openfga (go) versions < 1.3.2 is affected.
- Is there a fix for CVE-2023-43645? Yes. CVE-2023-43645 is fixed in 1.3.2. Upgrade to this version or later.
- Is CVE-2023-43645 exploitable, and should I be worried? Whether CVE-2023-43645 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2023-43645 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2023-43645? Upgrade
github.com/openfga/openfgato 1.3.2 or later.