Low severityNVD Advisory· Published Nov 21, 2025· Updated Nov 24, 2025
SpiceDB's LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results
CVE-2025-65111
Description
SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/authzed/spicedbGo | < 1.47.1 | 1.47.1 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/authzed/spicedbpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 1.47.1+ 2 more
- (no CPE)range: < 1.47.1
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-9m7r-g8hg-x3vrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65111ghsaADVISORY
- github.com/authzed/spicedb/commit/8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2ghsax_refsource_MISCWEB
- github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.