logo

Database

Insecure deserialization In github.com/authzed/spicedb

Description

SpiceDB checks involving relations with caveats can result in no permission when permission is expected

Impact

On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.

For example, given this schema:

definition user {}

definition office {
	relation parent: office
	relation manager: user
	permission read = manager + parent->read
}
...

and these relationships:

office:headoffice#manager@user:maria
office:branch1#parent@office:headoffice
group:admins#parent@office:branch1
group:managers#parent@office:headoffice
document:budget#owner@group:admins[equals:{"required":"admin"}]
document:budget#owner@group:managers[equals:{"required":"manager"}]

Permission for 'document:budget#read@user:maria with {"actual" : "admin"}' is returned as NO_PERMISSION when HAS_PERMISSION is the correct answer.

Patches

Upgrade to v1.44.2.

Workarounds

Do not use caveats in your schema over an arrow’ed relation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-490112. NVD-2025-490113. OSV-2025-490114. GHSA-cwwm-hr97-qfxm5. GCVE-2025-49011

References

1. https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm2. https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a673. https://github.com/authzed/spicedb/releases/tag/v1.44.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.