GHSA-CWWM-HR97-QFXM

Vulnerability from github – Published: 2025-06-06 21:41 – Updated: 2025-06-10 19:58
VLAI?
Summary
SpiceDB checks involving relations with caveats can result in no permission when permission is expected
Details

Impact

On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.

For example, given this schema:

definition user {}

definition office {
    relation parent: office
    relation manager: user
    permission read = manager + parent->read
}

definition group {
    relation parent: office
    permission read = parent->read
}

definition document {
    relation owner: group with equals
    permission read = owner->read
}

caveat equals(actual string, required string) {
    actual == required
}

and these relationships:

office:headoffice#manager@user:maria
office:branch1#parent@office:headoffice
group:admins#parent@office:branch1
group:managers#parent@office:headoffice
document:budget#owner@group:admins[equals:{"required":"admin"}]
document:budget#owner@group:managers[equals:{"required":"manager"}]

Permission for 'document:budget#read@user:maria with {"actual" : "admin"}' is returned as NO_PERMISSION when HAS_PERMISSION is the correct answer.

Patches

Upgrade to v1.44.2.

Workarounds

Do not use caveats in your schema over an arrow’ed relation.

Severity ?
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.44.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/authzed/spicedb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.44.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-06T21:41:00Z",
    "nvd_published_at": "2025-06-06T18:15:35Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nOn schemas involving arrows with caveats on the arrow\u2019ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.\n\nFor example, given this schema:\n\n```\ndefinition user {}\n\ndefinition office {\n\trelation parent: office\n\trelation manager: user\n\tpermission read = manager + parent-\u003eread\n}\n\ndefinition group {\n\trelation parent: office\n\tpermission read = parent-\u003eread\n}\n\ndefinition document {\n\trelation owner: group with equals\n\tpermission read = owner-\u003eread\n}\n\ncaveat equals(actual string, required string) {\n\tactual == required\n}\n```\n\nand these relationships:\n\n```\noffice:headoffice#manager@user:maria\noffice:branch1#parent@office:headoffice\ngroup:admins#parent@office:branch1\ngroup:managers#parent@office:headoffice\ndocument:budget#owner@group:admins[equals:{\"required\":\"admin\"}]\ndocument:budget#owner@group:managers[equals:{\"required\":\"manager\"}]\n```\n\nPermission for `\u0027document:budget#read@user:maria with {\"actual\" : \"admin\"}\u0027` is returned as NO_PERMISSION when HAS_PERMISSION is the correct answer.\n\n### Patches\nUpgrade to v1.44.2.\n\n### Workarounds\nDo not use caveats in your schema over an arrow\u2019ed relation.",
  "id": "GHSA-cwwm-hr97-qfxm",
  "modified": "2025-06-10T19:58:49Z",
  "published": "2025-06-06T21:41:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authzed/spicedb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/releases/tag/v1.44.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SpiceDB checks involving relations with caveats can result in no permission when permission is expected"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.