Cybersecurity Vulnerabilities

CVE-2025-65111: SpiceDB LookupResources Vulnerability – Ensure Accurate Permission Checks!

November 22, 2025 - By 

Overview

CVE-2025-65111 describes a vulnerability in SpiceDB, an open-source database system used for managing application permissions. This flaw, present in versions prior to 1.47.1, can cause incomplete or missing results when using the LookupResources API under specific schema configurations. This impacts the accuracy of resource discovery based on permissions but does not affect other permission check APIs.

Technical Details

The vulnerability arises when a SpiceDB schema includes a permission defined using a union operator (+). This union must reference the same relation on both sides, but one side of the union needs to arrow to a different permission. This specific combination can lead to LookupResources failing to identify all resources to which a user has access.

Specifically, the problematic scenario involves:

  • A permission defined using a union (+).
  • Both sides of the union referencing the same relation.
  • One side of the union reaching a different permission through an arrow (e.g., relation->permission).

CVSS Analysis

Currently, a CVSS score has not been assigned for CVE-2025-65111. This may be because the impact is limited to the LookupResources API, and other permission APIs are not affected. However, the potential for incomplete resource discovery warrants prompt attention and patching.

Possible Impact

The primary impact of this vulnerability is the potential for inaccurate resource discovery through the LookupResources API. This could lead to:

  • Users being denied access to resources they should be able to access due to incomplete lookup results.
  • Applications displaying an incomplete list of resources available to a user.
  • Security policies not being enforced as intended due to the inaccurate resource discovery.

Mitigation or Patch Steps

The recommended solution is to upgrade SpiceDB to version 1.47.1 or later. This version contains the fix for CVE-2025-65111. To upgrade, follow the official SpiceDB upgrade instructions provided by authzed. Ensure you thoroughly test the upgrade in a staging environment before deploying to production.

If upgrading immediately is not possible, carefully review your SpiceDB schema for the conditions described in the Technical Details section. While a direct workaround might be complex and schema-dependent, you might be able to refactor your schema to avoid the problematic union configuration as a temporary measure until you can upgrade.

References

SpiceDB Commit – 8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2 (github.com)
GHSA-9m7r-g8hg-x3vr – Security Advisory (github.com)

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *