GHSA-cwwm-hr97-qfxm

Suggest an improvement
Source
https://github.com/advisories/GHSA-cwwm-hr97-qfxm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-cwwm-hr97-qfxm/GHSA-cwwm-hr97-qfxm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cwwm-hr97-qfxm
Aliases
Published
2025-06-06T21:41:00Z
Modified
2025-06-10T19:58:49Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
SpiceDB checks involving relations with caveats can result in no permission when permission is expected
Details

Impact

On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.

For example, given this schema:

definition user {}

definition office {
    relation parent: office
    relation manager: user
    permission read = manager + parent->read
}

definition group {
    relation parent: office
    permission read = parent->read
}

definition document {
    relation owner: group with equals
    permission read = owner->read
}

caveat equals(actual string, required string) {
    actual == required
}

and these relationships:

office:headoffice#manager@user:maria
office:branch1#parent@office:headoffice
group:admins#parent@office:branch1
group:managers#parent@office:headoffice
document:budget#owner@group:admins[equals:{"required":"admin"}]
document:budget#owner@group:managers[equals:{"required":"manager"}]

Permission for 'document:budget#read@user:maria with {"actual" : "admin"}' is returned as NOPERMISSION when HASPERMISSION is the correct answer.

Patches

Upgrade to v1.44.2.

Workarounds

Do not use caveats in your schema over an arrow’ed relation.

Database specific
{
    "nvd_published_at": "2025-06-06T18:15:35Z",
    "cwe_ids": [
        "CWE-358"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-06T21:41:00Z"
}
References

Affected packages

Go / github.com/authzed/spicedb

Package

Name
github.com/authzed/spicedb
View open source insights on deps.dev
Purl
pkg:golang/github.com/authzed/spicedb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.44.2

Database specific

{
    "last_known_affected_version_range": "<= 1.44.0"
}