CVE-2025-64529 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting authzed's SpiceDB, an open-source database system designed for managing application permissions securely. The flaw exists in versions prior to 1.45.2 and is triggered when users employ the exclusion operator in their authorization schema and configure the server with a `--write-relationships-max-updates-per-call` value exceeding 6500. Under these conditions, if a WriteRelationships API call includes a large number of updates resulting in a payload size exceeding datastore limits, the server incorrectly returns a successful response even though the operation failed internally. This discrepancy causes the permission checks that rely on these relationships, especially those involving exclusions, to yield incorrect results. The root cause is the lack of proper throttling or limits on resource allocation during large update operations, leading to silent failures. The vulnerability does not require authentication or user interaction, and no known exploits are currently reported in the wild. The issue was addressed in SpiceDB version 1.45.2 by implementing proper limits and error handling. As a temporary mitigation, users can set the `--write-relationships-max-updates-per-call` parameter to 1000 to avoid triggering the bug. The CVSS 4.0 score of 2.7 reflects a low severity, primarily due to the limited impact scope and the absence of remote code execution or privilege escalation. However, the incorrect permission evaluation can undermine the integrity of access control decisions in applications relying on SpiceDB.

For European organizations, the primary impact of this vulnerability lies in the potential for incorrect permission checks, which can lead to unauthorized access or denial of legitimate access to sensitive resources. Organizations using SpiceDB to enforce fine-grained, security-critical permissions in applications such as financial services, healthcare, or government systems may face risks of data exposure or operational disruption. Although the vulnerability does not directly allow attackers to execute arbitrary code or escalate privileges, the integrity of authorization decisions is compromised, which can undermine trust in security controls. The silent failure of WriteRelationships calls can also complicate incident detection and response, as administrators may believe updates succeeded when they did not. This can affect compliance with data protection regulations like GDPR if unauthorized data access occurs. The low CVSS score suggests limited immediate risk, but the impact is context-dependent, particularly for organizations with complex authorization schemas using the exclusion operator and large-scale relationship updates. The absence of known exploits reduces urgency but does not eliminate risk, especially as attackers may develop techniques to exploit this flaw over time.

European organizations should upgrade SpiceDB to version 1.45.2 or later, where the vulnerability is patched. Until upgrading is feasible, they should configure the `--write-relationships-max-updates-per-call` parameter to 1000 or lower to prevent triggering the issue. It is critical to audit authorization schemas for the use of the exclusion operator and review the size and frequency of WriteRelationships API calls to avoid large payloads that exceed datastore limits. Implement monitoring and alerting on WriteRelationships call failures and permission check anomalies to detect potential exploitation or misconfigurations. Additionally, organizations should conduct thorough testing of permission evaluations after applying updates or configuration changes to ensure correctness. Where possible, segment and isolate systems using SpiceDB to limit the blast radius of incorrect permission evaluations. Finally, maintain an inventory of affected systems and ensure that security teams are aware of the vulnerability and mitigation steps.