CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-49011: SpiceDB checks involving relations with caveats can result in no permission when permission is expected

3.7 CVSS

Description

SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation.

Classification

CVE ID: CVE-2025-49011

CVSS Base Severity: LOW

CVSS Base Score: 3.7

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem Types

CWE-358: Improperly Implemented Security Check for Standard

Affected Products

Vendor: authzed

Product: spicedb

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.07% (scored less or equal to compared to others)

EPSS Date: 2025-06-27 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-49011
https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm
https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67
https://github.com/authzed/spicedb/releases/tag/v1.44.2

Timeline

2025-06-06 18:40:10 UTC
CVE

SpiceDB checks involving relations with caveats can result in no permission when permission is expected
2025-06-06 22:15:33 UTC
Github Advisory Database (Go)

[github.com/authzed/spicedb] SpiceDB checks involving relations with caveats can result in no permission when permission is expected