CVE-2025-46331: Openfga Cache Check Response Without Cycle Check
A CheckResponseCacheEntry is written to a cache without first checking whether the response has CycleDetected=true. A cycle-detected check result is indeterminate (Allowed=false from a cycle-truncated sub-evaluation), and persisting it poisons the cache so subsequent Check / ListObjects requests within the TTL receive a false-negative authorization decision.
greprules fetch cve-2025-46331-openfga-cache-check-response-without-cycle-check --engine opengrepDescription
A CheckResponseCacheEntry is written to a cache without first checking whether the response has CycleDetected=true. A cycle-detected check result is indeterminate (Allowed=false from a cycle-truncated sub-evaluation), and persisting it poisons the cache so subsequent Check / ListObjects requests within the TTL receive a false-negative authorization decision.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.