CVE-2025-64529

Name of the Vulnerable Software and Affected Versions SpiceDB versions prior to 1.45.2

Description SpiceDB is a database system for managing application permissions. Versions prior to 1.45.2 are susceptible to an issue where a successful response is incorrectly returned from a WriteRelationships call when the call actually fails due to payload size limitations imposed by the datastore. This can lead to incorrect permission check results if relationships are read to resolve the relation involving the exclusion operator. The issue occurs when the --write-relationships-max-updates-per-call configuration is set above 6500 and a large number of updates are sent in a WriteRelationships call.

Recommendations Update to version 1.45.2 or later. As a workaround, set the --write-relationships-max-updates-per-call configuration to 1000.