CVE-2025-25196 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-25196 Interim 1 7 2026-03-05T01:12:07Z current 2025-03-14T00:12:54Z 2026-03-05T01:12:07Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-25196 OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users on OpenFGA v1.8.4 or previous, specifically under the following conditions are affected by this authorization bypass vulnerability: 1. Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type. 2. A type bound public access tuple is assigned to an object. 3. userset tuple is not assigned to the same object. and 4. Check request's user field is a userset that has the same type as the type bound public access tuple's user type. Users are advised to upgrade to v1.8.5 which is backwards compatible. There are no known workarounds for this vulnerability. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE SUSE Linux Enterprise Server 16.0 openSUSE Tumbleweed govulncheck-vulndb-0.0.20250312T181707-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 libxml2-2-2.11.6-3.1 libxml2-tools-2.11.6-3.1 update-alternatives-1.22.0-slfo.1.1_2.1 libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/baremetal-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/base-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/kvm-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/rt-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/toolbox:latest libxml2-2-2.11.6-3.1 as a component of Image SL-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-qcow update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-qcow libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-Azure libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-Azure update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-Azure libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-Azure libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-Azure update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-Azure libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-EC2 libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-EC2 update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-EC2 libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-GCE libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-GCE update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-GCE libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-EC2 libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-EC2 update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-EC2 libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-GCE libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-GCE update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-GCE govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 govulncheck-vulndb-0.0.20250312T181707-1.1 as a component of openSUSE Tumbleweed OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users on OpenFGA v1.8.4 or previous, specifically under the following conditions are affected by this authorization bypass vulnerability: 1. Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type. 2. A type bound public access tuple is assigned to an object. 3. userset tuple is not assigned to the same object. and 4. Check request's user field is a userset that has the same type as the type bound public access tuple's user type. Users are advised to upgrade to v1.8.5 which is backwards compatible. There are no known workarounds for this vulnerability. CVE-2025-25196 Container suse/sl-micro/6.0/baremetal-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/base-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/kvm-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/rt-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/toolbox:latest:libxml2-2-2.11.6-3.1 Image SL-Micro:libxml2-2-2.11.6-3.1 Image SL-Micro:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-VMware:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-qcow:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-VMware:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-qcow:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro:libxml2-2-2.11.6-3.1 Image SLE-Micro:libxml2-tools-2.11.6-3.1 Image SLE-Micro:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-Azure:libxml2-2-2.11.6-3.1 Image SLE-Micro-Azure:libxml2-tools-2.11.6-3.1 Image SLE-Micro-Azure:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-Azure:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-Azure:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-Azure:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-EC2:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-EC2:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-EC2:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-GCE:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-GCE:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-GCE:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-EC2:libxml2-2-2.11.6-3.1 Image SLE-Micro-EC2:libxml2-tools-2.11.6-3.1 Image SLE-Micro-EC2:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-GCE:libxml2-2-2.11.6-3.1 Image SLE-Micro-GCE:libxml2-tools-2.11.6-3.1 Image SLE-Micro-GCE:update-alternatives-1.22.0-slfo.1.1_2.1 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1 moderate