CVE-2024-27101

Name of the Vulnerable Software and Affected Versions SpiceDB versions prior to 1.29.2

Description The issue is caused by an integer overflow in the chunking helper, leading to dispatching missing elements or panic. Any SpiceDB cluster with a schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected. The CheckPermission, BulkCheckPermission, and LookupSubjects API methods are affected. This may result in permission checks being denied when expected to be allowed, and lookup subjects returning fewer subjects than expected. The issue can also lead to a panic, rendering the server unavailable.

Recommendations For SpiceDB versions prior to 1.29.2, upgrade to version 1.29.2 to resolve the issue. For AuthZed Enterprise customers, upgrade to v1.29.2-hotfix-enterprise.v1.hotfix.v1. As a temporary workaround, ensure that the SpiceDB cluster does not have very wide relations, with the maximum value being the maximum value of a 16-bit unsigned integer. At the moment, there is no other information about additional workarounds or mitigations.