Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-9m7r-g8hg-x3vr

Опубликовано: 21 нояб. 2025
Источник: github
Github: Прошло ревью
CVSS4: 2.9

Описание

SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results

Impact

If a schema includes the following characteristics:

  1. Permission defined in terms of a union (+)
  2. That union references the same relation on both sides, but one side arrows to a different permission

Then you might have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly.

A small concrete example:

relation doer_of_things: user | group#member permission do_the_thing = doer_of_things + doer_of_things->admin

A CheckPermission on do_the_thing will return the correct permissionship, but a LookupResources on do_the_thing may miss resources.

A Comprehensive Example

If you have a schema with a structure like this:

definition special_user {} definition user { relation special_user_mapping: special_user permission special_user = special_user_mapping } definition group { relation member: user permission membership = member + member->special_user } definition system { relation viewer: user | group#membership // This is the problematic permission permission view = viewer + viewer->special_user }

And these relationships:

system:somesystem#viewer@group:somegroup#membership group:somegroup#member@user:someuser1 user:someuser1#special_user_mapping@special_user:specialuser

And you call LookupResources with:

subject_type: user subject_id: someuser1 permission: view resource_type: system

You would expect to receive system:somesystem in the results, but you do not.

Note that this only applies to LookupResources; if you CheckPermission for that resource specifically, it will return HasPermission.

Patches

The issue is fixed in v1.47.1. Upgrading to this version will remediate this issue.

Ссылки

Пакеты

Наименование

github.com/authzed/spicedb

go
Затронутые версииВерсия исправления

< 1.47.1

1.47.1

EPSS

Процентиль: 14%
0.00045
Низкий

2.9 Low

CVSS4

CVE ID

CVE-2025-65111

Дефекты

CWE-277

Связанные уязвимости

nvd логотип

CVE-2025-65111

CVSS3: 5.3
nvd
3 месяца назад

SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1.

EPSS

Процентиль: 14%
0.00045
Низкий

2.9 Low

CVSS4

CVE ID

CVE-2025-65111

Дефекты

CWE-277