### Vulnerability Overview In version `v1.4.1` of the `openfga` project, there is a security vulnerability. This vulnerability involves the `AuthZEn` discovery metadata, specifically that the published endpoint URL uses the configured `authzen.baseURL` instead of the host header provided by the request. This may lead to host header poisoning attacks. ### Impact Scope - **Affected Version**: `v1.4.1` - **Vulnerability Type**: Host header poisoning - **Trigger Condition**: When publishing the endpoint URL using the configured `authzen.baseURL` ### Remediation - **Fix Measures**: Thanks to the report from user `@jvr2022`, the project has fixed this issue. - **Specific Changes**: Ensure that when publishing the endpoint URL, the host header provided by the request is used instead of the configured `authzen.baseURL`. ### Other Related Information - **Release Date**: 2 weeks ago - **Contributor**: `jpadilla` - **Other Updates**: - Added server shutdown timeout configuration - Made minor changes to `ListObjects` to reduce heap allocations, resulting in a slight reduction in latency - Improved cache key generation performance by removing `fmt` usage and extending control character sanitization to all cache key inputs (tuples, conditions, context) - Removed the vulnerable `github.com/docker/docker` package (used only for testing) and replaced it with `Moby (client & api)` ### Contributors - **Lead Contributor**: `rafanaskin` ### Assets - **File List**: Includes binary files and source code archives for various platforms such as `darwin`, `linux`, `windows`, etc. ### Summary This vulnerability primarily affects version `v1.4.1` of the `openfga` project and addresses the host header poisoning issue by fixing the logic for publishing endpoint URLs. The project has released an update, and users are advised to upgrade to the latest version as soon as possible to ensure security.