CVE-2025-65111
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-21

Last updated on: 2025-12-31

Assigner: GitHub, Inc.

Description
SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-21
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2025-11-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65111
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
authzed spicedb to 1.47.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-277 A product defines a set of insecure permissions that are inherited by objects that are created by the program.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in SpiceDB occurs when a schema defines a permission using a union (+) that references the same relation on both sides, but with one side pointing to a different permission. In such cases, SpiceDB may return incomplete results for LookupResources when checking permissions. Other APIs are not affected and calculate permissions correctly. The issue is fixed in version 1.47.1.

Impact Analysis

The vulnerability can cause missing LookupResources results when checking permissions, which means that some resources a user should have access to might not be returned by the LookupResources API. This could lead to incomplete permission checks or unexpected behavior in applications relying on this API.

Mitigation Strategies

Upgrade SpiceDB to version 1.47.1 or later, as this version contains the fix for the vulnerability affecting LookupResources results.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart