CVE-2025-65111 identifies a vulnerability in SpiceDB, an open-source database designed for managing application permissions securely. The issue arises when a schema defines a permission using a union (+) operation that references the same relation on both sides but points to different permissions. Under these conditions, the LookupResources API, responsible for enumerating resources accessible under a given permission, may return incomplete results. This means that some resources that should be accessible might not be listed, potentially causing authorization failures or inconsistent access control behavior. Importantly, other APIs within SpiceDB that calculate permissionship are unaffected and continue to operate correctly. The vulnerability stems from insecure inherited permissions, categorized under CWE-277, indicating improper permission validation or enforcement. The flaw is present in versions prior to 1.47.1 and has been addressed in that release. The CVSS 4.0 base score is 2.9, reflecting a low severity due to the limited impact on confidentiality and availability, no requirement for privileges or user interaction, and the fact that it only affects a specific API call. No exploits have been observed in the wild, suggesting limited active threat. However, organizations relying on LookupResources for critical permission checks may experience incomplete permission enforcement, potentially leading to security policy inconsistencies or operational issues.

For European organizations, the impact of this vulnerability depends on their use of SpiceDB in managing application permissions, especially in security-critical environments. Incomplete LookupResources results could cause applications to deny legitimate access to resources or, conversely, fail to detect unauthorized access if the application logic relies solely on this API for permission enumeration. This inconsistency can disrupt business operations, cause user frustration, and potentially expose sensitive data if compensating controls are not in place. Organizations using SpiceDB in cloud-native or microservices architectures, common in Europe’s technology sectors, may face challenges in maintaining consistent access control policies. While the vulnerability does not directly lead to privilege escalation or data breaches, the risk of authorization errors can undermine trust in security mechanisms. Given the low severity and absence of known exploits, the immediate threat is limited, but the operational impact could be significant in environments with complex permission schemas. European entities with compliance obligations around access control (e.g., GDPR) should consider the implications of incomplete permission enforcement on data protection and auditability.

The primary mitigation is to upgrade SpiceDB to version 1.47.1 or later, where the vulnerability is fixed. Organizations should audit their permission schemas to identify any use of unions referencing the same relation with different permissions, as this pattern triggers the issue. Where upgrading is not immediately feasible, implement compensating controls such as additional permission validation layers outside of SpiceDB or avoid relying solely on the LookupResources API for critical authorization decisions. Conduct thorough testing of permission checks after schema changes to detect inconsistencies. Monitoring and logging access control decisions can help identify anomalies caused by incomplete permission lookups. Security teams should also review application logic to ensure fallback mechanisms exist if LookupResources returns incomplete data. Finally, maintain awareness of SpiceDB updates and security advisories to promptly address future vulnerabilities.