Bug 2413926 (CVE-2025-64529)
| Summary: | CVE-2025-64529 spicedb: SpiceDB: Silent WriteRelationships failure leads to incorrect permissions | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | caswilli, kaycoth |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A vulnerability has been identified in the WriteRelationships API of SpiceDB, where large relationship-update requests can be silently dropped when the payload exceeds what the underlying datastore permits. This occurs because the server does not always return an error when processing oversized write operations, especially in schemas that use the exclusion operator and in deployments configured with very high per-call write limits. An attacker or misconfigured client could exploit this behavior by sending an excessively large update request, causing the intended relationship changes to be ignored and resulting in incomplete or inconsistent authorization state.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-11-10 23:01:58 UTC
|