MEDIUM 6.5 Go
SpiceDB WriteRelationships fails silently if payload is too big
GHSA-pm3x-jrhh-qcr7 · CVE-2025-64529 · GO-2025-4120
Published · Modified
Description
Impact
Users who
- use the exclusion operator somewhere in their authorization schema
- have configured their SpiceDB server such that
--write-relationships-max-updates-per-callis bigger than 6500 - issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows
will
- receive a successful response from their
WriteRelationshipscall, when in reality that call failed, - receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion
Patches
Upgrade to v.145.2.
Workarounds
Set --write-relationships-max-updates-per-call to 1000.
Ready to move
Start Securing
Free, no credit card | First findings in minutes