CVE-2025-49011

Published: Jun 6, 2025

Modified: Jun 6, 2025

PUBLISHED

CVSS v3.1

3.7

LOW

Description

SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation.

Vendor	Product	Versions
authzed	spicedb	affected `< 1.44.2`

Weaknesses (CWE)

CWE-358

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm

x_refsource_CONFIRM

https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67

x_refsource_MISC

https://github.com/authzed/spicedb/releases/tag/v1.44.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-49011

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References