Skip to main content

CVE-2025-49011: CWE-358: Improperly Implemented Security Check for Standard in authzed spicedb

Low
VulnerabilityCVE-2025-49011cvecve-2025-49011cwe-358
Published: Fri Jun 06 2025 (06/06/2025, 17:36:21 UTC)
Source: CVE Database V5
Vendor/Project: authzed
Product: spicedb

Description

SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation.

AI-Powered Analysis

AILast updated: 07/08/2025, 11:27:03 UTC

Technical Analysis

CVE-2025-49011 is a vulnerability identified in authzed's SpiceDB, an open-source database designed for storing and querying fine-grained authorization data. The issue affects versions prior to 1.44.2 and relates to the improper implementation of security checks when schemas involve arrows with caveats on the arrow’ed relation. Specifically, when a CheckPermission request path requires evaluating multiple caveated branches, the system may incorrectly return a negative response (denying permission) when a positive response (granting permission) is expected. This behavior stems from an improper security check implementation categorized under CWE-358 (Improperly Implemented Security Check). The vulnerability does not allow unauthorized access but can lead to denial of legitimate permissions, potentially disrupting application functionality relying on SpiceDB for authorization decisions. The fix was introduced in version 1.44.2, and a workaround is to avoid using caveats over arrow’ed relations in the schema until the patch is applied. The CVSS 3.1 base score is 3.7, indicating a low severity level, with the vector showing network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). No known exploits are reported in the wild as of the publication date.

Potential Impact

For European organizations utilizing SpiceDB for authorization management, this vulnerability could cause legitimate permission checks to fail, resulting in denial of access to authorized users or services. While this does not directly lead to unauthorized data access or system compromise, it can disrupt business operations, especially in environments where fine-grained access control is critical, such as financial services, healthcare, or government sectors. The integrity impact is low but non-negligible, as incorrect permission denials can affect workflow continuity, user productivity, and potentially lead to operational delays. Given the network-exploitable nature but high attack complexity and no need for privileges or user interaction, the risk of widespread exploitation is limited. However, organizations relying heavily on caveated relations in their authorization schemas are more susceptible to operational disruptions until they apply the patch or implement the recommended workaround.

Mitigation Recommendations

European organizations should promptly upgrade SpiceDB to version 1.44.2 or later to remediate this vulnerability. Until the upgrade is feasible, schema designers should avoid using caveats on arrow’ed relations to prevent triggering the faulty permission evaluation logic. Additionally, organizations should audit their authorization schemas to identify and refactor any caveated arrow’ed relations. Implementing comprehensive testing of authorization logic after schema changes can help detect unexpected permission denials early. Monitoring application logs for unusual access denials related to authorization checks can provide early indicators of this issue. Finally, organizations should maintain an updated inventory of systems using SpiceDB to ensure all instances are patched in a timely manner.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-29T16:34:07.176Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6843377571f4d251b5d89018

Added to database: 6/6/2025, 6:46:13 PM

Last enriched: 7/8/2025, 11:27:03 AM

Last updated: 8/17/2025, 3:14:43 PM

Views: 31

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats