Skip to content

Commit 04a4d48

Browse files
1 parent fd0dfb7 commit 04a4d48

1 file changed

Lines changed: 72 additions & 0 deletions

File tree

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-cwwm-hr97-qfxm",
4+
"modified": "2025-06-06T21:41:00Z",
5+
"published": "2025-06-06T21:41:00Z",
6+
"aliases": [
7+
"CVE-2025-49011"
8+
],
9+
"summary": "SpiceDB checks involving relations with caveats can result in no permission when permission is expected",
10+
"details": "### Impact\n\nOn schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.\n\nFor example, given this schema:\n\n```\ndefinition user {}\n\ndefinition office {\n\trelation parent: office\n\trelation manager: user\n\tpermission read = manager + parent->read\n}\n\ndefinition group {\n\trelation parent: office\n\tpermission read = parent->read\n}\n\ndefinition document {\n\trelation owner: group with equals\n\tpermission read = owner->read\n}\n\ncaveat equals(actual string, required string) {\n\tactual == required\n}\n```\n\nand these relationships:\n\n```\noffice:headoffice#manager@user:maria\noffice:branch1#parent@office:headoffice\ngroup:admins#parent@office:branch1\ngroup:managers#parent@office:headoffice\ndocument:budget#owner@group:admins[equals:{\"required\":\"admin\"}]\ndocument:budget#owner@group:managers[equals:{\"required\":\"manager\"}]\n```\n\nPermission for `'document:budget#read@user:maria with {\"actual\" : \"admin\"}'` is returned as NO_PERMISSION when HAS_PERMISSION is the correct answer.\n\n### Patches\nUpgrade to v1.44.2.\n\n### Workarounds\nDo not use caveats in your schema over an arrow’ed relation.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/authzed/spicedb"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.44.2"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.44.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm"
45+
},
46+
{
47+
"type": "ADVISORY",
48+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49011"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67"
53+
},
54+
{
55+
"type": "PACKAGE",
56+
"url": "https://github.com/authzed/spicedb"
57+
},
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/authzed/spicedb/releases/tag/v1.44.2"
61+
}
62+
],
63+
"database_specific": {
64+
"cwe_ids": [
65+
"CWE-358"
66+
],
67+
"severity": "LOW",
68+
"github_reviewed": true,
69+
"github_reviewed_at": "2025-06-06T21:41:00Z",
70+
"nvd_published_at": "2025-06-06T18:15:35Z"
71+
}
72+
}

0 commit comments

Comments
 (0)