VYPR
Low severityNVD Advisory· Published Nov 21, 2025· Updated Nov 24, 2025

SpiceDB's LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results

CVE-2025-65111

Description

SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/authzed/spicedbGo
< 1.47.11.47.1

Affected products

4

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.