CVE-2025-65111 Overview
CVE-2025-65111 affects SpiceDB, an open source database system used to manage security-critical application permissions. The vulnerability causes the LookupResources API to return incomplete results when a schema defines a permission using a union (+) operator that references the same relation on both sides, where one side arrows to a different permission. Other permission APIs, including CheckPermission, continue to calculate permissionship correctly. Authzed released a fix in SpiceDB version 1.47.1. The issue is categorized under [CWE-277: Insecure Inherited Permissions].
Critical Impact
LookupResources may omit resources the caller is authorized to access, producing incomplete authorization query results in applications relying on SpiceDB for permission enumeration.
Affected Products
- Authzed SpiceDB versions prior to 1.47.1
- Applications relying on LookupResources API for permission enumeration
- Schemas using union permissions with arrow references to different permissions
Discovery Timeline
- 2025-11-21 - CVE-2025-65111 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-65111
Vulnerability Analysis
SpiceDB evaluates permissions defined in a schema through a query planning and execution layer. The LookupResources API enumerates all resources on which a subject holds a given permission. When a schema defines a permission as a union of two relations, and both operands reference the same relation but one side traverses an arrow (->) to a different permission, the query tree fails to merge the two branches correctly. As a result, LookupResources returns a subset of resources rather than the complete set.
The defect is confined to enumeration semantics. CheckPermission and related APIs walk the graph in the reverse direction and continue to produce correct authorization decisions. Applications that display resource lists or drive downstream authorization based on LookupResources output can therefore hide legitimately accessible resources from users.
Root Cause
The root cause resides in the SpiceDB query tree construction logic under pkg/query/build_tree.go. Union nodes referencing the same relation with divergent arrow targets were not deduplicated or merged correctly, causing one branch to shadow results from the other during resource enumeration.
Attack Vector
The issue is triggered by schema authors defining union permissions with the specific structural pattern above. Exploitation requires no authentication because the flawed evaluation is invoked whenever a caller issues a LookupResources request against an affected schema. There is no privilege escalation or data exfiltration primitive; the vulnerability is limited to incomplete integrity of enumeration results.
// Patch excerpt: pkg/query/build_tree.go
package query
import (
+ "errors"
"fmt"
core "github.com/authzed/spicedb/pkg/proto/core/v1"
Source: GitHub Commit 8c2edbe
Detection Methods for CVE-2025-65111
Indicators of Compromise
- No malicious network indicators exist because the flaw is a correctness bug rather than an exploitable code path.
- Application logs showing users reporting missing resources they should be able to access via LookupResources.
- Divergence between LookupResources output and per-resource CheckPermission results for the same subject.
Detection Strategies
- Inventory running SpiceDB deployments and verify the version reported by spicedb version or the /debug/version endpoint against 1.47.1.
- Review the deployed schema for permissions defined as a union where both operands reference the same relation and at least one uses an arrow to a different permission.
- Run consistency tests that compare LookupResources output with iterative CheckPermission calls across a known corpus of subjects and resources.
Monitoring Recommendations
- Enable SpiceDB request logging and alert on unusual gaps between authorization queries and downstream access patterns.
- Track SpiceDB release notes and the Authzed GitHub security advisories for related permission evaluation fixes.
- Instrument application-level metrics that count empty or truncated LookupResources responses per tenant to surface regressions.
How to Mitigate CVE-2025-65111
Immediate Actions Required
- Upgrade SpiceDB to version 1.47.1 or later across all clusters and replicas.
- Restart dependent services after the upgrade to invalidate any cached authorization decisions built from incomplete results.
- Audit any authorization-driven UI or workflow that relies on LookupResources for correctness during the exposure window.
Patch Information
Authzed fixed the vulnerability in SpiceDB 1.47.1. The change is described in GitHub Security Advisory GHSA-9m7r-g8hg-x3vr and implemented in commit 8c2edbe. Container images are published to the authzed registry with matching tags.
Workarounds
- Rewrite affected schema permissions to avoid unions where both sides reference the same relation with divergent arrow targets.
- Replace enumeration flows with per-resource CheckPermission calls until the upgrade is deployed, as CheckPermission is unaffected.
- Restrict deployment of new schemas that match the vulnerable pattern via code review or schema-linting in CI.
# Upgrade SpiceDB container to the patched release
docker pull authzed/spicedb:v1.47.1
# Verify the running version
spicedb version
# Confirm schema behavior with a regression check
zed permission lookup-resources <resource_type> <permission> <subject>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

