CVE-2025-49011
BaseFortify
Publication date: 2025-06-06
Last updated on: 2025-09-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| authzed | spicedb | to 1.44.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-358 | The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49011 is a vulnerability in SpiceDB, an open source database for authorization data. The issue occurs in permission checks involving relations with caveats on arrow'ed relations in the schema. When a CheckPermission request path requires evaluating multiple caveated branches, the system may incorrectly return a negative permission result (NO_PERMISSION) even when a positive result (HAS_PERMISSION) is expected. This means that users who should have access might be denied due to incorrect evaluation of caveated relations. [2, 3]
How can this vulnerability impact me? :
This vulnerability can cause legitimate permission checks to fail, resulting in users being denied access to resources they should be authorized to access. This can disrupt normal operations by preventing authorized users from performing actions or accessing data, potentially impacting business processes that rely on fine-grained authorization controls. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as permission checks incorrectly returning a negative response (NO_PERMISSION) when a positive response (HAS_PERMISSION) is expected, specifically in schemas using caveats on arrow'ed relations. Detection involves testing permission checks in your SpiceDB instance with schemas and relationships that include caveated arrow'ed relations. For example, you can simulate permission checks similar to those described in the advisory, such as checking permissions for a user on a document resource where the owner relation has caveats. Since the issue is logic-based within SpiceDB, detection commands would involve using SpiceDB's CheckPermission API or CLI to perform permission checks with caveat parameters that should grant access but may incorrectly deny it. No specific network scanning commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading SpiceDB to version 1.44.2 or later, which contains the fix for this vulnerability. If upgrading is not immediately possible, avoid using caveats on arrow'ed relations in your schema, as this is a known workaround until the patch is applied. [1, 2]