CVE-2025-64529

MEDIUM

SpiceDB < 1.45.2 - Incorrect Permission Check Results via WriteRelationships Call

Title source: llm

Description

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `--write-relationships-max-updates-per-call` to `1000`.

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_confirm

https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7

Scores

CVSS v3 6.5

EPSS 0.0022

EPSS Percentile 11.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (2)

authzed/spicedb < 1.45.2

authzed/spicedb 0 - 1.45.2Go

Published Nov 10, 2025

Tracked Since Feb 18, 2026