### Overview

OpenFGA versions v1.1.0 and prior are vulnerable to a DoS attack when certain Check and ListObjects calls are executed against authorization models that contain circular relationship definitions.

### Am I Affected?

You are affected by this vulnerability if you are using OpenFGA v1.1.0 or earlier, and if you are executing certain [Check](https://openfga.dev/api/service#/Relationship%20Queries/Check) or [ListObjects](https://openfga.dev/api/service#/Relationship%20Queries/ListObjects) calls against a vulnerable authorization model. To see which of your models could be vulnerable to this attack, download OpenFGA v1.1.1 and run the following command:

“`
./openfga validate-models –datastore-engine –datastore-uri | jq .[] | select(.Error | contains(“no entrypoints”))
“`

replacing the variables “ and “ as needed.

### Fix

Upgrade to v1.1.1.

### Backward Compatibility

If you are not passing an invalid authorization model (as identified by running `./openfga validate-models`) as a parameter of your Check and ListObjects calls, this upgrade is backwards compatible.

Otherwise, OpenFGA v1.1.1 will start returning HTTP 400 status codes on those calls.Read More