SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results — CVE-2025-65111
GHSA · GitHub · CVE-2025-65111
ID
CVE-2025-65111
CVE-2025-65111
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
low
low
CVSS
2.9
2.9
EPSS
0.00053
0.00053
Summary
### Impact If your schema includes the following characteristics: 1. You have a permission defined in terms of a union (`+`) 1. That union references the same relation on both sides, but one side arrows to a different permission Then you might have missing `LookupResources` results when checking the permission. This only affects `LookupResources`; other APIs calculate permissionship correctly. A small concrete…
Product
go: github.com/authzed/spicedb
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.