CVE-2025-64529: SpiceDB WriteRelationships fails silently if payload is too big

November 13, 2025 (updated May 14, 2026)

Users who

use the exclusion operator somewhere in their authorization schema
have configured their SpiceDB server such that --write-relationships-max-updates-per-call is bigger than 6500
issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows

will

receive a successful response from their WriteRelationships call, when in reality that call failed,
receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion

References

Code Behaviors & Features

Detect and mitigate CVE-2025-64529 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →