Search

Find a vulnerability

Search criteria

    16 vulnerabilities found for core by api-platform

    CVE-2026-54164 (GCVE-0-2026-54164)

    Vulnerability from nvd – Published: 2026-07-01 19:14 – Updated: 2026-07-02 15:50
    VLAI
    Title
    API Platform Core: Missing IRI type check enables resource type confusion
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation's declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    api-platform core Affected: < 4.1.30
    Affected: >= 4.2.0, < 4.2.26
    Affected: >= 4.3.0, < 4.3.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54164",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T15:50:13.142519Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T15:50:25.125Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.1.30"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c 4.2.26"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.3.0, \u003c 4.3.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer\u0027s AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation\u0027s declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony\u0027s PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-843",
                  "description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T19:14:28.770Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h"
            }
          ],
          "source": {
            "advisory": "GHSA-9rjg-x2p2-h68h",
            "discovery": "UNKNOWN"
          },
          "title": "API Platform Core: Missing IRI type check enables resource type confusion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54164",
        "datePublished": "2026-07-01T19:14:28.770Z",
        "dateReserved": "2026-06-11T21:46:52.380Z",
        "dateUpdated": "2026-07-02T15:50:25.125Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49858 (GCVE-0-2026-49858)

    Vulnerability from nvd – Published: 2026-07-01 19:24 – Updated: 2026-07-02 12:20
    VLAI
    Title
    API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-524 - Use of Cache Containing Sensitive Information
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 2.6.0, < 4.1.29
    Affected: >= 4.2.0, < 4.2.25
    Affected: >= 4.3.0, < 4.3.8
    Create a notification for this product.
    api-platform api-platform/hal Affected: >= 2.6.0, < 4.1.29
    Affected: >= 4.2.0, < 4.2.25
    Affected: >= 4.3.0, < 4.3.8
    Create a notification for this product.
    api-platform api-platform/json-api Affected: >= 2.6.0, < 4.1.29
    Affected: >= 4.2.0, < 4.2.25
    Affected: >= 4.3.0, < 4.3.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49858",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T12:19:58.405684Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:20:09.370Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.6.0, \u003c 4.1.29"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c 4.2.25"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.3.0, \u003c 4.3.8"
                }
              ]
            },
            {
              "product": "api-platform/hal",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.6.0, \u003c 4.1.29"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c 4.2.25"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.3.0, \u003c 4.3.8"
                }
              ]
            },
            {
              "product": "api-platform/json-api",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.6.0, \u003c 4.1.29"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c 4.2.25"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.3.0, \u003c 4.3.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak.  #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\\JsonApi\\Serializer\\ItemNormalizer and ApiPlatform\\Hal\\Serializer\\ItemNormalizer are keyed on $context[\u0027cache_key\u0027], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T19:24:58.170Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23"
            }
          ],
          "source": {
            "advisory": "GHSA-pjhx-3c3w-9v23",
            "discovery": "UNKNOWN"
          },
          "title": "API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-49858",
        "datePublished": "2026-07-01T19:24:58.170Z",
        "dateReserved": "2026-06-01T22:03:19.640Z",
        "dateUpdated": "2026-07-02T12:20:09.370Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-31485 (GCVE-0-2025-31485)

    Vulnerability from nvd – Published: 2025-04-03 19:31 – Updated: 2025-04-08 13:15
    VLAI
    Title
    GraphQL grant on a property might be cached with different objects
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-696 - Incorrect Behavior Order
    Assigner
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 4.0.0-alpha.1, < 4.0.22
    Affected: < 3.4.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31485",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T19:59:34.529256Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T19:59:57.790Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-alpha.1, \u003c 4.0.22"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\\GraphQl\\Serializer\\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-696",
                  "description": "CWE-696: Incorrect Behavior Order",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-08T13:15:23.510Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3"
            },
            {
              "name": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8"
            },
            {
              "name": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a"
            },
            {
              "name": "https://github.com/api-platform/core/releases/tag/v3.4.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
            }
          ],
          "source": {
            "advisory": "GHSA-428q-q3vv-3fq3",
            "discovery": "UNKNOWN"
          },
          "title": "GraphQL grant on a property might be cached with different objects"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-31485",
        "datePublished": "2025-04-03T19:31:46.021Z",
        "dateReserved": "2025-03-28T13:36:51.298Z",
        "dateUpdated": "2025-04-08T13:15:23.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-31481 (GCVE-0-2025-31481)

    Vulnerability from nvd – Published: 2025-04-03 19:20 – Updated: 2025-04-08 13:14
    VLAI
    Title
    GraphQL query operations security can be bypassed
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 4.0.0, < 4.0.22
    Affected: < 3.4.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31481",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T19:39:57.000917Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T19:40:10.582Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.0.22"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-08T13:14:36.379Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m"
            },
            {
              "name": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb"
            },
            {
              "name": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568"
            },
            {
              "name": "https://github.com/api-platform/core/releases/tag/v3.4.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
            }
          ],
          "source": {
            "advisory": "GHSA-cg3c-245w-728m",
            "discovery": "UNKNOWN"
          },
          "title": "GraphQL query operations security can be bypassed"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-31481",
        "datePublished": "2025-04-03T19:20:22.916Z",
        "dateReserved": "2025-03-28T13:36:51.297Z",
        "dateUpdated": "2025-04-08T13:14:36.379Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-47639 (GCVE-0-2023-47639)

    Vulnerability from nvd – Published: 2025-04-03 16:46 – Updated: 2025-04-03 18:08
    VLAI
    Title
    API Platform Core can leak exceptions message that may contain sensitive information
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 3.2.0, < 3.2.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-47639",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T18:08:11.190947Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T18:08:26.822Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.2.0, \u003c 3.2.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-03T16:46:13.632Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-rfw5-cqjj-7v9r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-rfw5-cqjj-7v9r"
            },
            {
              "name": "https://github.com/api-platform/core/pull/5823",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/pull/5823"
            },
            {
              "name": "https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201"
            }
          ],
          "source": {
            "advisory": "GHSA-rfw5-cqjj-7v9r",
            "discovery": "UNKNOWN"
          },
          "title": "API Platform Core can leak exceptions message that may contain sensitive information"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-47639",
        "datePublished": "2025-04-03T16:46:13.632Z",
        "dateReserved": "2023-11-07T16:57:49.245Z",
        "dateUpdated": "2025-04-03T18:08:26.822Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-23204 (GCVE-0-2025-23204)

    Vulnerability from nvd – Published: 2025-03-24 15:53 – Updated: 2025-03-24 18:03
    VLAI
    Title
    GraphQl securityAfterResolver not called
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 3.3.8, < 3.3.15
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-23204",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T18:03:40.928908Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:03:54.959Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.3.8, \u003c 3.3.15"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there\u0027s no break in a clause. As this falls back to `security`, the impact is there only when there\u0027s only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-24T16:31:46.230Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3"
            },
            {
              "name": "https://github.com/api-platform/core/pull/6444",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/pull/6444"
            },
            {
              "name": "https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56"
            },
            {
              "name": "https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620"
            },
            {
              "name": "https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57"
            }
          ],
          "source": {
            "advisory": "GHSA-7mxx-3cgm-xxv3",
            "discovery": "UNKNOWN"
          },
          "title": "GraphQl securityAfterResolver not called"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-23204",
        "datePublished": "2025-03-24T15:53:19.156Z",
        "dateReserved": "2025-01-13T17:15:41.050Z",
        "dateUpdated": "2025-03-24T18:03:54.959Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25575 (GCVE-0-2023-25575)

    Vulnerability from nvd – Published: 2023-02-28 22:21 – Updated: 2025-03-07 18:36
    VLAI
    Title
    Secured properties in API Platform Core may be accessible within collections
    Summary
    API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. The JSON-LD format is not affected by the issue. The result of the security rule is only executed for the first item of the collection. The result of the rule is then cached and reused for the next items. This bug can leak data to unauthorized users when the rule depends on the value of a property of the item. This bug can also hide properties that should be displayed to authorized users. This issue impacts the 2.7, 3.0 and 3.1 branches. Please upgrade to versions 2.7.10, 3.0.12 or 3.1.3. As a workaround, replace the `cache_key` of the context array of the Serializer inside a custom normalizer that works on objects if the security option of the `ApiPlatform\Metadata\ApiProperty` attribute is used.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-842 - Placement of User into Incorrect Group
    Assigner
    References
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 3.0.0, < 3.0.12
    Affected: >= 3.1.0, < 3.1.3
    Affected: >= 2.6.0, < 2.7.10
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:25:19.302Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv"
              },
              {
                "name": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25575",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-07T18:36:44.785754Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-07T18:36:53.149Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.0.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.1.0, \u003c 3.1.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.6.0, \u003c 2.7.10"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\\Metadata\\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. The JSON-LD format is not affected by the issue. The result of the security rule is only executed for the first item of the collection. The result of the rule is then cached and reused for the next items. This bug can leak data to unauthorized users when the rule depends on the value of a property of the item. This bug can also hide properties that should be displayed to authorized users. This issue impacts the 2.7, 3.0 and 3.1 branches. Please upgrade to versions 2.7.10, 3.0.12 or 3.1.3. As a workaround, replace the `cache_key` of the context array of the Serializer inside a custom normalizer that works on objects if the security option of the `ApiPlatform\\Metadata\\ApiProperty` attribute is used."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-842",
                  "description": "CWE-842: Placement of User into Incorrect Group",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-28T22:21:48.730Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv"
            },
            {
              "name": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb"
            }
          ],
          "source": {
            "advisory": "GHSA-vr2x-7687-h6qv",
            "discovery": "UNKNOWN"
          },
          "title": "Secured properties in API Platform Core may be accessible within collections"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-25575",
        "datePublished": "2023-02-28T22:21:48.730Z",
        "dateReserved": "2023-02-07T17:10:00.742Z",
        "dateUpdated": "2025-03-07T18:36:53.149Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-1000011 (GCVE-0-2019-1000011)

    Vulnerability from nvd – Published: 2019-02-04 21:00 – Updated: 2024-08-05 03:00
    VLAI
    Summary
    API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2019-02-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:00:19.353Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/api-platform/core/issues/2364"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/api-platform/core/pull/2441"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "dateAssigned": "2019-01-22T00:00:00.000Z",
          "datePublic": "2019-02-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-04T20:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/issues/2364"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/pull/2441"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "DATE_ASSIGNED": "2019-01-22T21:21:10.019708",
              "DATE_REQUESTED": "2019-01-15T15:30:38",
              "ID": "CVE-2019-1000011",
              "REQUESTER": "dunglas@gmail.com",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/api-platform/core/issues/2364",
                  "refsource": "MISC",
                  "url": "https://github.com/api-platform/core/issues/2364"
                },
                {
                  "name": "https://github.com/api-platform/core/pull/2441",
                  "refsource": "MISC",
                  "url": "https://github.com/api-platform/core/pull/2441"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-1000011",
        "datePublished": "2019-02-04T21:00:00.000Z",
        "dateReserved": "2019-01-15T00:00:00.000Z",
        "dateUpdated": "2024-08-05T03:00:19.353Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-49858 (GCVE-0-2026-49858)

    Vulnerability from cvelistv5 – Published: 2026-07-01 19:24 – Updated: 2026-07-02 12:20
    VLAI
    Title
    API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-524 - Use of Cache Containing Sensitive Information
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 2.6.0, < 4.1.29
    Affected: >= 4.2.0, < 4.2.25
    Affected: >= 4.3.0, < 4.3.8
    Create a notification for this product.
    api-platform api-platform/hal Affected: >= 2.6.0, < 4.1.29
    Affected: >= 4.2.0, < 4.2.25
    Affected: >= 4.3.0, < 4.3.8
    Create a notification for this product.
    api-platform api-platform/json-api Affected: >= 2.6.0, < 4.1.29
    Affected: >= 4.2.0, < 4.2.25
    Affected: >= 4.3.0, < 4.3.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49858",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T12:19:58.405684Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:20:09.370Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.6.0, \u003c 4.1.29"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c 4.2.25"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.3.0, \u003c 4.3.8"
                }
              ]
            },
            {
              "product": "api-platform/hal",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.6.0, \u003c 4.1.29"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c 4.2.25"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.3.0, \u003c 4.3.8"
                }
              ]
            },
            {
              "product": "api-platform/json-api",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.6.0, \u003c 4.1.29"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c 4.2.25"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.3.0, \u003c 4.3.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak.  #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\\JsonApi\\Serializer\\ItemNormalizer and ApiPlatform\\Hal\\Serializer\\ItemNormalizer are keyed on $context[\u0027cache_key\u0027], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T19:24:58.170Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23"
            }
          ],
          "source": {
            "advisory": "GHSA-pjhx-3c3w-9v23",
            "discovery": "UNKNOWN"
          },
          "title": "API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-49858",
        "datePublished": "2026-07-01T19:24:58.170Z",
        "dateReserved": "2026-06-01T22:03:19.640Z",
        "dateUpdated": "2026-07-02T12:20:09.370Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54164 (GCVE-0-2026-54164)

    Vulnerability from cvelistv5 – Published: 2026-07-01 19:14 – Updated: 2026-07-02 15:50
    VLAI
    Title
    API Platform Core: Missing IRI type check enables resource type confusion
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation's declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    api-platform core Affected: < 4.1.30
    Affected: >= 4.2.0, < 4.2.26
    Affected: >= 4.3.0, < 4.3.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54164",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T15:50:13.142519Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T15:50:25.125Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.1.30"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c 4.2.26"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.3.0, \u003c 4.3.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer\u0027s AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation\u0027s declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony\u0027s PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-843",
                  "description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T19:14:28.770Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h"
            }
          ],
          "source": {
            "advisory": "GHSA-9rjg-x2p2-h68h",
            "discovery": "UNKNOWN"
          },
          "title": "API Platform Core: Missing IRI type check enables resource type confusion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54164",
        "datePublished": "2026-07-01T19:14:28.770Z",
        "dateReserved": "2026-06-11T21:46:52.380Z",
        "dateUpdated": "2026-07-02T15:50:25.125Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-31485 (GCVE-0-2025-31485)

    Vulnerability from cvelistv5 – Published: 2025-04-03 19:31 – Updated: 2025-04-08 13:15
    VLAI
    Title
    GraphQL grant on a property might be cached with different objects
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-696 - Incorrect Behavior Order
    Assigner
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 4.0.0-alpha.1, < 4.0.22
    Affected: < 3.4.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31485",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T19:59:34.529256Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T19:59:57.790Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-alpha.1, \u003c 4.0.22"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\\GraphQl\\Serializer\\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-696",
                  "description": "CWE-696: Incorrect Behavior Order",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-08T13:15:23.510Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3"
            },
            {
              "name": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8"
            },
            {
              "name": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a"
            },
            {
              "name": "https://github.com/api-platform/core/releases/tag/v3.4.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
            }
          ],
          "source": {
            "advisory": "GHSA-428q-q3vv-3fq3",
            "discovery": "UNKNOWN"
          },
          "title": "GraphQL grant on a property might be cached with different objects"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-31485",
        "datePublished": "2025-04-03T19:31:46.021Z",
        "dateReserved": "2025-03-28T13:36:51.298Z",
        "dateUpdated": "2025-04-08T13:15:23.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-31481 (GCVE-0-2025-31481)

    Vulnerability from cvelistv5 – Published: 2025-04-03 19:20 – Updated: 2025-04-08 13:14
    VLAI
    Title
    GraphQL query operations security can be bypassed
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 4.0.0, < 4.0.22
    Affected: < 3.4.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31481",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T19:39:57.000917Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T19:40:10.582Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.0.22"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-08T13:14:36.379Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m"
            },
            {
              "name": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb"
            },
            {
              "name": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568"
            },
            {
              "name": "https://github.com/api-platform/core/releases/tag/v3.4.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
            }
          ],
          "source": {
            "advisory": "GHSA-cg3c-245w-728m",
            "discovery": "UNKNOWN"
          },
          "title": "GraphQL query operations security can be bypassed"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-31481",
        "datePublished": "2025-04-03T19:20:22.916Z",
        "dateReserved": "2025-03-28T13:36:51.297Z",
        "dateUpdated": "2025-04-08T13:14:36.379Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-47639 (GCVE-0-2023-47639)

    Vulnerability from cvelistv5 – Published: 2025-04-03 16:46 – Updated: 2025-04-03 18:08
    VLAI
    Title
    API Platform Core can leak exceptions message that may contain sensitive information
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 3.2.0, < 3.2.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-47639",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T18:08:11.190947Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T18:08:26.822Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.2.0, \u003c 3.2.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-03T16:46:13.632Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-rfw5-cqjj-7v9r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-rfw5-cqjj-7v9r"
            },
            {
              "name": "https://github.com/api-platform/core/pull/5823",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/pull/5823"
            },
            {
              "name": "https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201"
            }
          ],
          "source": {
            "advisory": "GHSA-rfw5-cqjj-7v9r",
            "discovery": "UNKNOWN"
          },
          "title": "API Platform Core can leak exceptions message that may contain sensitive information"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-47639",
        "datePublished": "2025-04-03T16:46:13.632Z",
        "dateReserved": "2023-11-07T16:57:49.245Z",
        "dateUpdated": "2025-04-03T18:08:26.822Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-23204 (GCVE-0-2025-23204)

    Vulnerability from cvelistv5 – Published: 2025-03-24 15:53 – Updated: 2025-03-24 18:03
    VLAI
    Title
    GraphQl securityAfterResolver not called
    Summary
    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 3.3.8, < 3.3.15
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-23204",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T18:03:40.928908Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:03:54.959Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.3.8, \u003c 3.3.15"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there\u0027s no break in a clause. As this falls back to `security`, the impact is there only when there\u0027s only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-24T16:31:46.230Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3"
            },
            {
              "name": "https://github.com/api-platform/core/pull/6444",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/pull/6444"
            },
            {
              "name": "https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56"
            },
            {
              "name": "https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620"
            },
            {
              "name": "https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57"
            }
          ],
          "source": {
            "advisory": "GHSA-7mxx-3cgm-xxv3",
            "discovery": "UNKNOWN"
          },
          "title": "GraphQl securityAfterResolver not called"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-23204",
        "datePublished": "2025-03-24T15:53:19.156Z",
        "dateReserved": "2025-01-13T17:15:41.050Z",
        "dateUpdated": "2025-03-24T18:03:54.959Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25575 (GCVE-0-2023-25575)

    Vulnerability from cvelistv5 – Published: 2023-02-28 22:21 – Updated: 2025-03-07 18:36
    VLAI
    Title
    Secured properties in API Platform Core may be accessible within collections
    Summary
    API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. The JSON-LD format is not affected by the issue. The result of the security rule is only executed for the first item of the collection. The result of the rule is then cached and reused for the next items. This bug can leak data to unauthorized users when the rule depends on the value of a property of the item. This bug can also hide properties that should be displayed to authorized users. This issue impacts the 2.7, 3.0 and 3.1 branches. Please upgrade to versions 2.7.10, 3.0.12 or 3.1.3. As a workaround, replace the `cache_key` of the context array of the Serializer inside a custom normalizer that works on objects if the security option of the `ApiPlatform\Metadata\ApiProperty` attribute is used.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-842 - Placement of User into Incorrect Group
    Assigner
    References
    Impacted products
    Vendor Product Version
    api-platform core Affected: >= 3.0.0, < 3.0.12
    Affected: >= 3.1.0, < 3.1.3
    Affected: >= 2.6.0, < 2.7.10
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:25:19.302Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv"
              },
              {
                "name": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25575",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-07T18:36:44.785754Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-07T18:36:53.149Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "core",
              "vendor": "api-platform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.0.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.1.0, \u003c 3.1.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.6.0, \u003c 2.7.10"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\\Metadata\\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. The JSON-LD format is not affected by the issue. The result of the security rule is only executed for the first item of the collection. The result of the rule is then cached and reused for the next items. This bug can leak data to unauthorized users when the rule depends on the value of a property of the item. This bug can also hide properties that should be displayed to authorized users. This issue impacts the 2.7, 3.0 and 3.1 branches. Please upgrade to versions 2.7.10, 3.0.12 or 3.1.3. As a workaround, replace the `cache_key` of the context array of the Serializer inside a custom normalizer that works on objects if the security option of the `ApiPlatform\\Metadata\\ApiProperty` attribute is used."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-842",
                  "description": "CWE-842: Placement of User into Incorrect Group",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-28T22:21:48.730Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv"
            },
            {
              "name": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb"
            }
          ],
          "source": {
            "advisory": "GHSA-vr2x-7687-h6qv",
            "discovery": "UNKNOWN"
          },
          "title": "Secured properties in API Platform Core may be accessible within collections"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-25575",
        "datePublished": "2023-02-28T22:21:48.730Z",
        "dateReserved": "2023-02-07T17:10:00.742Z",
        "dateUpdated": "2025-03-07T18:36:53.149Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-1000011 (GCVE-0-2019-1000011)

    Vulnerability from cvelistv5 – Published: 2019-02-04 21:00 – Updated: 2024-08-05 03:00
    VLAI
    Summary
    API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2019-02-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:00:19.353Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/api-platform/core/issues/2364"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/api-platform/core/pull/2441"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "dateAssigned": "2019-01-22T00:00:00.000Z",
          "datePublic": "2019-02-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-04T20:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/issues/2364"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/api-platform/core/pull/2441"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "DATE_ASSIGNED": "2019-01-22T21:21:10.019708",
              "DATE_REQUESTED": "2019-01-15T15:30:38",
              "ID": "CVE-2019-1000011",
              "REQUESTER": "dunglas@gmail.com",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/api-platform/core/issues/2364",
                  "refsource": "MISC",
                  "url": "https://github.com/api-platform/core/issues/2364"
                },
                {
                  "name": "https://github.com/api-platform/core/pull/2441",
                  "refsource": "MISC",
                  "url": "https://github.com/api-platform/core/pull/2441"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-1000011",
        "datePublished": "2019-02-04T21:00:00.000Z",
        "dateReserved": "2019-01-15T00:00:00.000Z",
        "dateUpdated": "2024-08-05T03:00:19.353Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }