Headline
GHSA-pm3x-jrhh-qcr7: SpiceDB WriteRelationships fails silently if payload is too big
Impact
Users who:
- Use the exclusion operator somewhere in their authorization schema.
- Have configured their SpiceDB server such that
--write-relationships-max-updates-per-callis bigger than 6500. - Issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows.
Users will:
- Receive a successful response from their
WriteRelationshipscall, when in reality that call failed. - Receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion.
Patches
Upgrade to v.145.2.
Workarounds
Set --write-relationships-max-updates-per-call to 1000.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64529
SpiceDB WriteRelationships fails silently if payload is too big
Low severity GitHub Reviewed Published Nov 10, 2025 in authzed/spicedb • Updated Nov 13, 2025
Package
gomod github.com/authzed/spicedb (Go)
Affected versions
< 1.45.2
Impact
Users who:
- Use the exclusion operator somewhere in their authorization schema.
- Have configured their SpiceDB server such that --write-relationships-max-updates-per-call is bigger than 6500.
- Issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows.
Users will:
- Receive a successful response from their WriteRelationships call, when in reality that call failed.
- Receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion.
Patches
Upgrade to v.145.2.
Workarounds
Set --write-relationships-max-updates-per-call to 1000.
References
- GHSA-pm3x-jrhh-qcr7
- https://nvd.nist.gov/vuln/detail/CVE-2025-64529
- authzed/spicedb@d0cd103
Published to the GitHub Advisory Database
Nov 13, 2025
Last updated
Nov 13, 2025