CVE-2025-65111
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-12-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| authzed | spicedb | to 1.47.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-277 | A product defines a set of insecure permissions that are inherited by objects that are created by the program. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in SpiceDB occurs when a schema defines a permission using a union (+) that references the same relation on both sides, but with one side pointing to a different permission. In such cases, SpiceDB may return incomplete results for LookupResources when checking permissions. Other APIs are not affected and calculate permissions correctly. The issue is fixed in version 1.47.1.
How can this vulnerability impact me? :
The vulnerability can cause missing LookupResources results when checking permissions, which means that some resources a user should have access to might not be returned by the LookupResources API. This could lead to incomplete permission checks or unexpected behavior in applications relying on this API.
What immediate steps should I take to mitigate this vulnerability?
Upgrade SpiceDB to version 1.47.1 or later, as this version contains the fix for the vulnerability affecting LookupResources results.