CVE-2025-64529 – SpiceDB versions before 1.45.2 have a vulnerabi... (How to Fix)

Q: What is the severity of CVE-2025-64529?

CVE-2025-64529 has a CVSS score of 6.5 (MEDIUM). SpiceDB versions before 1.45.2 have a vulnerability where WriteRelationships calls with large payloads can return success when they actually failed, leading to incorrect permission check results. This affects users who use the exclusion operator in their authorization schema and have configured --write-relationships-max-updates-per-call above 6500. The vulnerability allows authorization logic to be bypassed.

📋 TL;DR

SpiceDB versions before 1.45.2 have a vulnerability where WriteRelationships calls with large payloads can return success when they actually failed, leading to incorrect permission check results. This affects users who use the exclusion operator in their authorization schema and have configured --write-relationships-max-updates-per-call above 6500. The vulnerability allows authorization logic to be bypassed.

💻 Affected Systems

Products:

SpiceDB

Versions: All versions prior to 1.45.2

Operating Systems: All platforms running SpiceDB

Default Config Vulnerable: ✅ No

Notes: Only affects users who: 1) Use exclusion operator in authorization schema, 2) Have --write-relationships-max-updates-per-call > 6500, 3) Issue WriteRelationships calls with payloads exceeding datastore limits

📦 What is this software?

Spicedb by Authzed

View all CVEs affecting Spicedb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authorization bypass leading to unauthorized access to protected resources, data leakage, or privilege escalation in security-critical applications.

🟠

Likely Case

Inconsistent permission checks causing application logic errors, potentially allowing some users to access resources they shouldn't have access to.

🟢

If Mitigated

No impact if proper version or workaround is applied; otherwise, potential authorization inconsistencies.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific configuration and authorization schema usage, but could lead to authorization bypass if exposed.

🏢 Internal Only: MEDIUM - Same technical risk but limited to internal users; still concerning for security-critical permission systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific configuration conditions and understanding of the authorization schema. Attacker needs ability to make WriteRelationships calls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.45.2

Vendor Advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7

Restart Required: Yes

Instructions:

1. Update SpiceDB to version 1.45.2 or later. 2. Restart the SpiceDB service. 3. Verify the version is 1.45.2+ using spicedb version command.

🔧 Temporary Workarounds

Limit WriteRelationships updates

all

Set --write-relationships-max-updates-per-call to 1000 or lower to prevent the condition that triggers the vulnerability

spicedb serve --write-relationships-max-updates-per-call=1000

🧯 If You Can't Patch

Apply the workaround by setting --write-relationships-max-updates-per-call to 1000 or lower
Monitor WriteRelationships calls for failures and implement additional validation logic in application layer

🔍 How to Verify

Check if Vulnerable:

Check if SpiceDB version is below 1.45.2 AND --write-relationships-max-updates-per-call > 6500 AND exclusion operator is used in schema

Check Version:

spicedb version

Verify Fix Applied:

Verify version is 1.45.2 or higher using spicedb version command

📡 Detection & Monitoring

Log Indicators:

WriteRelationships calls with large payloads returning success but no actual database updates
Permission check inconsistencies for resources using exclusion operator

Network Indicators:

Large WriteRelationships API calls to SpiceDB
Unusual pattern of permission check failures/successes

SIEM Query:

source="spicedb" AND ("WriteRelationships" AND "exclusion") AND size>6500

📊 Metadata

CVE ID: CVE-2025-64529

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-770

EPSS Score: 0.06% exploit probability (19.5th percentile)

Published: November 10, 2025

Last Updated: November 21, 2025

🔗 References

https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64529, you might also want to check these: