CVE-2025-65111
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-65111, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-21

Last updated on: 2025-12-31

Assigner: GitHub, Inc.

Description

SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-21
Last Modified
2025-12-31
Generated
2026-07-06
AI Q&A
2025-11-22
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
authzed spicedb to 1.47.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-277 A product defines a set of insecure permissions that are inherited by objects that are created by the program.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in SpiceDB occurs when a schema defines a permission using a union (+) that references the same relation on both sides, but with one side pointing to a different permission. In such cases, SpiceDB may return incomplete results for LookupResources when checking permissions. Other APIs are not affected and calculate permissions correctly. The issue is fixed in version 1.47.1.

Impact Analysis

The vulnerability can cause missing LookupResources results when checking permissions, which means that some resources a user should have access to might not be returned by the LookupResources API. This could lead to incomplete permission checks or unexpected behavior in applications relying on this API.

Mitigation Strategies

Upgrade SpiceDB to version 1.47.1 or later, as this version contains the fix for the vulnerability affecting LookupResources results.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart