DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-VHVQ-FV9F-WH4Q: The Curse of the Cursor: SpiceDB Denial of Service via Panic

#security #cve #cybersecurity #ghsa

The Curse of the Cursor: SpiceDB Denial of Service via Panic

Vulnerability ID: GHSA-VHVQ-FV9F-WH4Q
CVSS Score: 7.5
Published: 2026-02-06

SpiceDB, the open-source Google Zanzibar implementation, suffered from a classic Go anti-pattern: using a 'Must' function on untrusted input. By submitting a malformed pagination cursor in a LookupResources request, an attacker could trigger a tuple.MustParse panic. This unhandled exception crashes the entire SpiceDB process, allowing for a trivial, unauthenticated Denial of Service (DoS) attack against the authorization infrastructure.

TL;DR

Sending a garbage string inside a LookupResources pagination cursor crashes SpiceDB. The server used MustParse on client-provided data, causing a panic instead of an error return. Patch to v1.39.1 immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-248 (Uncaught Exception)
  • Attack Vector: Network (gRPC)
  • CVSS v3.1: 7.5 (High)
  • Impact: Denial of Service (Process Crash)
  • Component: internal/graph/cursors.go
  • Exploit Status: Trivial / PoC Available

Affected Systems

  • SpiceDB < v1.39.1
  • SpiceDB: < 1.39.1 (Fixed in: 1.39.1)

Code Analysis

Commit: fa1d7f4

Replace tuple.MustParse with tuple.Parse to prevent panics on malformed cursors

@@ -161,7 +162,11 @@ func withDatastoreCursorInCursor[T any, Q any](
    var datastoreCursor options.Cursor
    datastoreCursorString, _ := ci.headSectionValue()
    if datastoreCursorString != "" {
-       datastoreCursor = options.ToCursor(tuple.MustParse(datastoreCursorString))
+       parsedCursor, err := tuple.Parse(datastoreCursorString)
+       if err != nil {
+           return fmt.Errorf("could not parse '%s' as tuple: %w", datastoreCursorString, err)
+       }
+       datastoreCursor = options.ToCursor(parsedCursor)
    }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GHSA Advisory: The advisory describes manually constructing a cursor with a malformed tuple string.

Mitigation Strategies

  • Update SpiceDB software immediately.
  • Implement aggressive restart policies for SpiceDB pods (Kubernetes) to minimize downtime if exploited before patching.
  • Monitor logs for process panics to detect exploitation attempts.

Remediation Steps:

  1. Pull the latest docker image: authzed/spicedb:v1.39.1
  2. Redeploy the SpiceDB cluster/pods.
  3. Verify the version with spicedb version.

References

Read the full report for GHSA-VHVQ-FV9F-WH4Q on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)