2413926 – (CVE-2025-64529) CVE-2025-64529 spicedb: SpiceDB: Silent WriteRelationships failure leads to incorrect permissions

Bug 2413926 (CVE-2025-64529) - CVE-2025-64529 spicedb: SpiceDB: Silent WriteRelationships failure leads to incorrect permissions

Summary: CVE-2025-64529 spicedb: SpiceDB: Silent WriteRelationships failure leads to i...

Keywords:
Status:	NEW
Alias:	CVE-2025-64529
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-10 23:01 UTC by OSIDB Bzimport
Modified:	2025-11-13 11:29 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-10 23:01:58 UTC

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `--write-relationships-max-updates-per-call` to `1000`.

Note You need to log in before you can comment on or make changes to this bug.