CVE-2025-64529: 
NixOS vulnerability analysis and mitigation

SpiceDB, an open source database system for creating and managing security-critical application permissions, was found to have a vulnerability where WriteRelationships fails silently if the payload exceeds size limits. The vulnerability (CVE-2025-64529) was discovered and disclosed on November 10, 2025, affecting versions prior to 1.45.2 (GitHub Advisory).

The vulnerability exists in the PostgreSQL datastore implementation of SpiceDB, specifically in the pgReadWriteTXN.WriteRelationships function. The root cause was identified as a silent failure where the function performed bulk database writes without checking for errors after operation completion. When users submitted WriteRelationships requests exceeding PostgreSQL's internal limit of 65,535 parameters, the database would generate an error that the application would ignore, resulting in relationships not being written to the database while falsely reporting success (Miggo).

The vulnerability affects users who utilize the exclusion operator in their authorization schema and have configured their SpiceDB server with --write-relationships-max-updates-per-call larger than 6500. These users will receive successful responses from WriteRelationships calls even when the operation actually failed, leading to incorrect permission check results when those relationships need to be read to resolve relations involving exclusion (GitHub Advisory).

Two primary mitigation options are available: upgrading to SpiceDB version 1.45.2 which contains the patch, or implementing a workaround by setting --write-relationships-max-updates-per-call to 1000. The patch adds explicit error checking through rows.Err() after database queries and introduces a new error handling function, handleWriteError, to properly identify and report PostgreSQL parameter limit errors (GitHub Advisory).