Vulnerability-Lookup

GHSA-PM3X-JRHH-QCR7

Vulnerability from github – Published: 2025-11-13 22:58 – Updated: 2026-05-14 20:54

Summary

SpiceDB WriteRelationships fails silently if payload is too big

Details

Impact

Users who 1. use the exclusion operator somewhere in their authorization schema 1. have configured their SpiceDB server such that --write-relationships-max-updates-per-call is bigger than 6500 1. issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows

will

receive a successful response from their WriteRelationships call, when in reality that call failed,
receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion

Patches

Upgrade to v.145.2.

Workarounds

Set --write-relationships-max-updates-per-call to 1000.

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

2.7 (Low)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/authzed/spicedb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.45.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64529"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T22:58:20Z",
    "nvd_published_at": "2025-11-10T23:15:42Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nUsers who \n1. use the exclusion operator somewhere in their authorization schema\n1. have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500\n1. issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows\n\nwill \n\n1. receive a successful response from their `WriteRelationships` call, when in reality that call failed,\n2. receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion\n\n### Patches\n\nUpgrade to v.145.2.\n\n### Workarounds\n\nSet `--write-relationships-max-updates-per-call` to `1000`.",
  "id": "GHSA-pm3x-jrhh-qcr7",
  "modified": "2026-05-14T20:54:58Z",
  "published": "2025-11-13T22:58:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64529"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/commit/d0cd103a92cc1915636733fb1d1730c2c7f74851"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authzed/spicedb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SpiceDB WriteRelationships fails silently if payload is too big"
}

CVE-2025-64529 (GCVE-0-2025-64529)

Vulnerability from cvelistv5 – Published: 2025-11-10 22:28 – Updated: 2025-11-12 20:12

Title

SpiceDB's WriteRelationships fails silently if payload is too big

Summary

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `--write-relationships-max-updates-per-call` to `1000`.

Severity

2.7 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/authzed/spicedb/security/advis…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
authzed	spicedb	Affected: < 1.45.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64529",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-12T17:34:00.745696Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-12T20:12:52.552Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "spicedb",
          "vendor": "authzed",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.45.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `--write-relationships-max-updates-per-call` to `1000`."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-10T22:28:51.589Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7"
        }
      ],
      "source": {
        "advisory": "GHSA-pm3x-jrhh-qcr7",
        "discovery": "UNKNOWN"
      },
      "title": "SpiceDB\u0027s WriteRelationships fails silently if payload is too big"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64529",
    "datePublished": "2025-11-10T22:28:51.589Z",
    "dateReserved": "2025-11-05T21:15:39.401Z",
    "dateUpdated": "2025-11-12T20:12:52.552Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted