CVE-2025-65111: SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results
If a schema includes the following characteristics:
- Permission defined in terms of a union (
+) - That union references the same relation on both sides, but one side arrows to a different permission
Then you might have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly.
A small concrete example:
relation doer_of_things: user | group#member
permission do_the_thing = doer_of_things + doer_of_things->admin
A CheckPermission on do_the_thing will return the correct permissionship, but a LookupResources on do_the_thing may miss resources.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-65111 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →