cvedb.io
CVE-2025-64529
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2025-11-10T23:15:42.170 · Last modified 2026-06-17T09:54:32.647

Summary

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `--write-rela

Affected products

authzed — spicedb

Does this affect you?

Add your gear to cvedb and we'll alert you only when authzed ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.