Authorization Schema Vulnerability in SpiceDB by Authzed
CVE-2025-64529

2.7LOW

Key Information:

Vendor: Authzed
Status: Spicedb
Vendor: CVE Published:; 10 November 2025

What is CVE-2025-64529?

SpiceDB, a security-critical application permissions database, has a vulnerability in versions prior to 1.45.2. If users employ the exclusion operator in their authorization schema and configure their server with --write-relationships-max-updates-per-call exceeding 6500, they may encounter an issue where the WriteRelationships call unexpectedly returns a successful response despite the existence of a failure. This can lead to incorrect permission checks when these relationships are read. To mitigate the risk, it is advised to downgrade the --write-relationships-max-updates-per-call setting to 1000, or upgrade to version 1.45.2, which includes the necessary patch.

Affected Version(s)

spicedb < 1.45.2

References

https://github.com/authzed/spicedb/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2025
Vulnerability Reserved
Nov 5, 2025

JSON