CVE-2025-49011: SpiceDB checks involving relations with caveats can result in no permission when permission is expected

June 6, 2025 (updated June 10, 2025)

On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.

For example, given this schema:

definition user {}

definition office {
relation parent: office
relation manager: user
permission read = manager + parent->read
}

definition group {
relation parent: office
permission read = parent->read
}

definition document {
relation owner: group with equals
permission read = owner->read
}

caveat equals(actual string, required string) {
actual == required
}

and these relationships:

office:headoffice#manager@user:maria
office:branch1#parent@office:headoffice 
group:admins#parent@office:branch1
group:managers#parent@office:headoffice 
document:budget#owner@group:admins[equals:{"required":"admin"}] 
document:budget#owner@group:managers[equals:{"required":"manager"}]

Permission for 'document:budget#read@user:maria with {"actual" : "admin"}' is returned as NO_PERMISSION when HAS_PERMISSION is the correct answer.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-49011 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →