CVE-2025-65111 is a vulnerability classified under CWE-277 (Insecure Inherited Permissions) affecting authzed's SpiceDB, an open-source database designed for managing application permissions. The issue arises in versions prior to 1.47.1 when the schema defines a permission using a union (+) operation that references the same relation on both sides, but with one side pointing to a different permission. This specific schema pattern causes the LookupResources API to return incomplete results during permission checks, effectively missing some resources that should be accessible or checked. Importantly, this flaw only impacts the LookupResources API; other permission evaluation APIs in SpiceDB calculate permissions correctly and are unaffected. The vulnerability does not require authentication or user interaction, and the attack vector is network-based with low complexity. The CVSS 4.0 score is 2.9, reflecting a low severity primarily due to limited impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild. The root cause is an insecure handling of inherited permissions in the permission evaluation logic, leading to potential authorization inconsistencies. The issue was publicly disclosed on November 21, 2025, and fixed in version 1.47.1 of SpiceDB. Organizations relying on SpiceDB for security-critical permission management should upgrade to the patched version to ensure accurate permission enforcement.

For European organizations, the impact of CVE-2025-65111 is primarily related to authorization accuracy in applications using SpiceDB for permission management. Incomplete LookupResources results can lead to scenarios where certain resources are not properly accounted for during permission checks, potentially causing either unintended denial of access or failure to enforce permissions correctly. While this does not directly lead to privilege escalation or data leakage, it may cause operational disruptions or inconsistent access control enforcement in critical systems. Organizations in sectors with stringent access control requirements—such as finance, healthcare, and government—may face compliance risks if permissions are not accurately enforced. However, since other APIs remain unaffected and the vulnerability has a low severity score, the overall risk is limited. The absence of known exploits reduces immediate threat levels, but the potential for subtle authorization errors warrants timely remediation. Additionally, organizations using custom or complex permission schemas involving unions and inherited permissions are more likely to be affected.

European organizations using SpiceDB should immediately upgrade to version 1.47.1 or later, where this vulnerability is fixed. Prior to upgrading, review and audit permission schemas that use union operations referencing the same relation with different permissions to identify potential exposure. Implement additional logging and monitoring around permission evaluation, especially focusing on LookupResources API calls, to detect anomalies or unexpected access denials. Conduct thorough testing of permission enforcement in staging environments after applying the patch to ensure that all resources are correctly accounted for. Where feasible, avoid complex permission schemas involving unions referencing the same relation until the upgrade is applied. Additionally, maintain strict version control and update policies for open-source security-critical components like SpiceDB. Engage with the vendor or community for any further guidance or patches. Finally, incorporate this vulnerability into risk assessments and compliance audits to ensure organizational awareness.