{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49011", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-29T16:34:07.176Z", "datePublished": "2025-06-06T17:36:21.747Z", "dateUpdated": "2025-06-06T21:33:23.317Z"}, "containers": {"cna": {"title": "SpiceDB checks involving relations with caveats can result in no permission when permission is expected", "problemTypes": [{"descriptions": [{"cweId": "CWE-358", "lang": "en", "description": "CWE-358: Improperly Implemented Security Check for Standard", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm"}, {"name": "https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67", "tags": ["x_refsource_MISC"], "url": "https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67"}, {"name": "https://github.com/authzed/spicedb/releases/tag/v1.44.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/authzed/spicedb/releases/tag/v1.44.2"}], "affected": [{"vendor": "authzed", "product": "spicedb", "versions": [{"version": "< 1.44.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-06T21:33:23.317Z"}, "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow\u2019ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow\u2019ed relation."}], "source": {"advisory": "GHSA-cwwm-hr97-qfxm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-06T18:38:07.236832Z", "id": "CVE-2025-49011", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T18:38:24.599Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-49011", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-06T18:38:07.236832Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T18:38:20.391Z"}}], "cna": {"title": "SpiceDB checks involving relations with caveats can result in no permission when permission is expected", "source": {"advisory": "GHSA-cwwm-hr97-qfxm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "authzed", "product": "spicedb", "versions": [{"status": "affected", "version": "< 1.44.2"}]}], "references": [{"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm", "name": "https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67", "name": "https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/authzed/spicedb/releases/tag/v1.44.2", "name": "https://github.com/authzed/spicedb/releases/tag/v1.44.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow\u2019ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow\u2019ed relation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-358", "description": "CWE-358: Improperly Implemented Security Check for Standard"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-06T21:33:23.317Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49011", "state": "PUBLISHED", "dateUpdated": "2025-06-06T21:33:23.317Z", "dateReserved": "2025-05-29T16:34:07.176Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-06T17:36:21.747Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:authzed:spicedb:*:*:*:*:*:*:*:*", "matchCriteriaId": "98C0C4A9-0BC1-4A5A-BCEE-E33D1FD3FE8A", "versionEndExcluding": "1.44.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow\u2019ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow\u2019ed relation."}, {"lang": "es", "value": "SpiceDB es una base de datos de c\u00f3digo abierto para almacenar y consultar datos de autorizaci\u00f3n detallados. Antes de la versi\u00f3n 1.44.2, en esquemas con flechas y advertencias en la relaci\u00f3n con flechas, cuando la ruta para resolver una solicitud CheckPermission implica la evaluaci\u00f3n de varias ramas con advertencias, las solicitudes pod\u00edan devolver una respuesta negativa cuando se esperaba una positiva. La versi\u00f3n 1.44.2 soluciona este problema. Como soluci\u00f3n alternativa, no utilice advertencias en el esquema sobre una relaci\u00f3n con flechas."}], "id": "CVE-2025-49011", "lastModified": "2025-09-04T16:48:00.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-06T18:15:35.497", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/authzed/spicedb/releases/tag/v1.44.2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-358"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-06-23T09:16:30.274675+00:00", "updated": "2025-06-23T09:16:30.274768+00:00", "vendors": ["authzed", "authzed$PRODUCT$spicedb"]}