OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So when a sufficiently high number of those calls are executed, the OpenFGA server can create an `out of memory` error and terminate. Version 1.4.3 contains a patch for this issue.
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
| Link | Tags |
|---|---|
| https://github.com/openfga/openfga/security/advisories/GHSA-rxpw-85vw-fx87 | third party advisory |
| https://github.com/openfga/openfga/commit/908ac85c8b7769c8042cca31886df8db01976c39 | patch |
| https://github.com/openfga/openfga/releases/tag/v1.4.3 | release notes |