CVE-2025-64529: SpiceDB WriteRelationships fails silently if payload is too big

(updated )

Users who:

  1. Use the exclusion operator somewhere in their authorization schema.
  2. Have configured their SpiceDB server such that --write-relationships-max-updates-per-call is bigger than 6500.
  3. Issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows.

Users will:

  1. Receive a successful response from their WriteRelationships call, when in reality that call failed.
  2. Receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-64529 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →