Skip to content

x/vulndb: potential Go vuln in github.com/authzed/spicedb: GHSA-cwwm-hr97-qfxm #3744

Open
@GoVulnBot

Description

@GoVulnBot

Advisory GHSA-cwwm-hr97-qfxm references a vulnerability in the following Go modules:

Module
github.com/authzed/spicedb

Description:

Impact

On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.

For example, given this schema:

definition user {}

definition office {
	relation parent: office
	relation manager: user
	permission read = manager + parent->read
}

definition group {
	relation parent: office
	permission read = parent->read
}

definition document {
	relation owner: group with equals
	permission read = owner->r...

References:
- ADVISORY: https://github.com/advisories/GHSA-cwwm-hr97-qfxm
- ADVISORY: https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-49011
- FIX: https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67
- WEB: https://github.com/authzed/spicedb/releases/tag/v1.44.2

Cross references:
- github.com/authzed/spicedb appears in 9 other report(s):
  - data/reports/GO-2022-0295.yaml    (https://github.com/golang/vulndb/issues/295)
  - data/reports/GO-2023-1723.yaml    (https://github.com/golang/vulndb/issues/1723)
  - data/reports/GO-2023-1871.yaml    (https://github.com/golang/vulndb/issues/1871)
  - data/reports/GO-2023-2166.yaml    (https://github.com/golang/vulndb/issues/2166)
  - data/reports/GO-2024-2597.yaml    (https://github.com/golang/vulndb/issues/2597)
  - data/reports/GO-2024-2716.yaml    (https://github.com/golang/vulndb/issues/2716)
  - data/reports/GO-2024-2939.yaml    (https://github.com/golang/vulndb/issues/2939)
  - data/reports/GO-2024-3131.yaml    (https://github.com/golang/vulndb/issues/3131)
  - data/reports/GO-2024-3200.yaml    (https://github.com/golang/vulndb/issues/3200)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
- module: github.com/authzed/spicedb
non_go_versions:
- introduced: TODO (earliest fixed "1.44.2", vuln range "<= 1.44.0")
vulnerable_at: 1.44.2
summary: |-
SpiceDB checks involving relations with caveats can result in no permission when
permission is expected in github.com/authzed/spicedb
cves:
- CVE-2025-49011
ghsas:
- GHSA-cwwm-hr97-qfxm
references:
- advisory: GHSA-cwwm-hr97-qfxm
- advisory: GHSA-cwwm-hr97-qfxm
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-49011
- fix: authzed/spicedb@fe8dd9f
- web: https://github.com/authzed/spicedb/releases/tag/v1.44.2
source:
id: GHSA-cwwm-hr97-qfxm
created: 2025-06-06T22:01:24.630308421Z
review_status: UNREVIEWED

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions