CVE-2025-49011

SpiceDB checks involving relations with caveats can result in no permission when permission is expected

Severity Score

3.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation.

SpiceDB es una base de datos de código abierto para almacenar y consultar datos de autorización detallados. Antes de la versión 1.44.2, en esquemas con flechas y advertencias en la relación con flechas, cuando la ruta para resolver una solicitud CheckPermission implica la evaluación de varias ramas con advertencias, las solicitudes podían devolver una respuesta negativa cuando se esperaba una positiva. La versión 1.44.2 soluciona este problema. Como solución alternativa, no utilice advertencias en el esquema sobre una relación con flechas.

These are all security issues fixed in the govulncheck-vulndb-0.0.20250612T141001-1.1 package on the GA media of openSUSE Tumbleweed.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-05-29 CVE Reserved
2025-06-06 CVE Published
2025-06-09 CVE Updated
2025-08-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-358: Improperly Implemented Security Check for Standard

CAPEC

References (3)

URL	Tag	Source
https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67	X_refsource_misc
https://github.com/authzed/spicedb/releases/tag/v1.44.2	X_refsource_misc
https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Authzed Search vendor "Authzed"		Spicedb Search vendor "Authzed" for product "Spicedb"				< 1.44.2 Search vendor "Authzed" for product "Spicedb" and version " < 1.44.2"		en		Affected