CVE-2025-64529 – SpiceDB Denial of Service and Incorrect Permission Check Vulnerability

CVE ID : CVE-2025-64529

Published : Nov. 10, 2025, 11:15 p.m. | 15 minutes ago

Description : SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `–write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `–write-relationships-max-updates-per-call` to `1000`.

Severity: 2.7 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…