CVE-2025-65111 – This vulnerability in SpiceDB causes missing Lo... (How to Fix)

Q: What is the severity of CVE-2025-65111?

CVE-2025-65111 has a CVSS score of 5.3 (MEDIUM). This vulnerability in SpiceDB causes missing LookupResources results when checking permissions defined with specific union relationships in schemas. It allows applications to incorrectly determine users don't have access to resources they should be able to access. Only affects systems using SpiceDB with schemas containing the described union pattern.

📋 TL;DR

This vulnerability in SpiceDB causes missing LookupResources results when checking permissions defined with specific union relationships in schemas. It allows applications to incorrectly determine users don't have access to resources they should be able to access. Only affects systems using SpiceDB with schemas containing the described union pattern.

💻 Affected Systems

Products:

SpiceDB

Versions: All versions prior to 1.47.1

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects systems with schemas containing permissions defined with unions that reference the same relation on both sides with different permission arrows.

📦 What is this software?

Spicedb by Authzed

View all CVEs affecting Spicedb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authorization bypass where users are incorrectly denied access to resources they should have permission to access, potentially disrupting critical business operations.

🟠

Likely Case

Intermittent authorization failures where legitimate users cannot access resources they should have permission to access, leading to application errors and user complaints.

🟢

If Mitigated

Authorization failures limited to specific resource types defined with the problematic union pattern, with other permission checks functioning normally.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires knowledge of the specific schema structure and access to make LookupResources API calls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.47.1

Vendor Advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vr

Restart Required: Yes

Instructions:

1. Update SpiceDB to version 1.47.1 or later
2. Restart the SpiceDB service
3. Verify the update was successful

🔧 Temporary Workarounds

Schema modification

all

Modify schemas to avoid union permissions that reference the same relation on both sides with different permission arrows

🧯 If You Can't Patch

Audit schemas for union permissions referencing same relation on both sides and modify them
Implement additional authorization checks outside of LookupResources API

🔍 How to Verify

Check if Vulnerable:

Check if SpiceDB version is below 1.47.1 and review schemas for union permissions with the described pattern

Check Version:

spicedb version

Verify Fix Applied:

Verify SpiceDB version is 1.47.1 or later and test LookupResources API with previously problematic schemas

📡 Detection & Monitoring

Log Indicators:

Increased LookupResources API errors
Authorization failures for users with valid permissions

Network Indicators:

SpiceDB API calls returning unexpected empty results for LookupResources

SIEM Query:

Look for SpiceDB logs containing 'LookupResources' with error patterns or unexpected empty results

📊 Metadata

CVE ID: CVE-2025-65111

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-277

EPSS Score: 0.05% exploit probability (13.7th percentile)

Published: November 21, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/authzed/spicedb/commit/8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2 Patch
https://github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vr Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65111, you might also want to check these: