Description
Advisory GHSA-cwwm-hr97-qfxm references a vulnerability in the following Go modules:
Module |
---|
github.com/authzed/spicedb |
Description:
Impact
On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.
For example, given this schema:
definition user {}
definition office {
relation parent: office
relation manager: user
permission read = manager + parent->read
}
definition group {
relation parent: office
permission read = parent->read
}
definition document {
relation owner: group with equals
permission read = owner->r...
References:
- ADVISORY: https://github.com/advisories/GHSA-cwwm-hr97-qfxm
- ADVISORY: https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-49011
- FIX: https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67
- WEB: https://github.com/authzed/spicedb/releases/tag/v1.44.2
Cross references:
- github.com/authzed/spicedb appears in 9 other report(s):
- data/reports/GO-2022-0295.yaml (https://github.com/golang/vulndb/issues/295)
- data/reports/GO-2023-1723.yaml (https://github.com/golang/vulndb/issues/1723)
- data/reports/GO-2023-1871.yaml (https://github.com/golang/vulndb/issues/1871)
- data/reports/GO-2023-2166.yaml (https://github.com/golang/vulndb/issues/2166)
- data/reports/GO-2024-2597.yaml (https://github.com/golang/vulndb/issues/2597)
- data/reports/GO-2024-2716.yaml (https://github.com/golang/vulndb/issues/2716)
- data/reports/GO-2024-2939.yaml (https://github.com/golang/vulndb/issues/2939)
- data/reports/GO-2024-3131.yaml (https://github.com/golang/vulndb/issues/3131)
- data/reports/GO-2024-3200.yaml (https://github.com/golang/vulndb/issues/3200)
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/authzed/spicedb
non_go_versions:
- introduced: TODO (earliest fixed "1.44.2", vuln range "<= 1.44.0")
vulnerable_at: 1.44.2
summary: |-
SpiceDB checks involving relations with caveats can result in no permission when
permission is expected in github.com/authzed/spicedb
cves:
- CVE-2025-49011
ghsas:
- GHSA-cwwm-hr97-qfxm
references:
- advisory: GHSA-cwwm-hr97-qfxm
- advisory: GHSA-cwwm-hr97-qfxm
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-49011
- fix: authzed/spicedb@fe8dd9f
- web: https://github.com/authzed/spicedb/releases/tag/v1.44.2
source:
id: GHSA-cwwm-hr97-qfxm
created: 2025-06-06T22:01:24.630308421Z
review_status: UNREVIEWED