Vulnerability DatabaseCVE-2025-65111
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-65111
Published:November 21, 2025
Updated:May 16, 2026
SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1.
Affected Packages
github.com/authzed/spicedb (GO):
Affected version(s) >=v0.0.0-20210304035817-8b6c480598b0 <v1.47.1
Fix Suggestion:
Update to version v1.47.1
Related Resources (4)
https://github.com/authzed/spicedb
https://github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vr
https://nvd.nist.gov/vuln/detail/CVE-2025-65111
https://github.com/authzed/spicedb/commit/8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
POC
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Insecure Inherited Permissions
CWE-277
EPSS
Base Score:
0.05