Search
Find a vulnerability
Search criteria
16 vulnerabilities found for core by api-platform
CVE-2026-54164 (GCVE-0-2026-54164)
Vulnerability from nvd – Published: 2026-07-01 19:14 – Updated: 2026-07-02 15:50
VLAI
EPSS
VEX
Title
API Platform Core: Missing IRI type check enables resource type confusion
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation's declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
< 4.1.30
Affected: >= 4.2.0, < 4.2.26 Affected: >= 4.3.0, < 4.3.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54164",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T15:50:13.142519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T15:50:25.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.30"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.26"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer\u0027s AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation\u0027s declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony\u0027s PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T19:14:28.770Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h"
}
],
"source": {
"advisory": "GHSA-9rjg-x2p2-h68h",
"discovery": "UNKNOWN"
},
"title": "API Platform Core: Missing IRI type check enables resource type confusion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54164",
"datePublished": "2026-07-01T19:14:28.770Z",
"dateReserved": "2026-06-11T21:46:52.380Z",
"dateUpdated": "2026-07-02T15:50:25.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49858 (GCVE-0-2026-49858)
Vulnerability from nvd – Published: 2026-07-01 19:24 – Updated: 2026-07-02 12:20
VLAI
EPSS
VEX
Title
API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 2.6.0, < 4.1.29
Affected: >= 4.2.0, < 4.2.25 Affected: >= 4.3.0, < 4.3.8 |
|
| api-platform | api-platform/hal |
Affected:
>= 2.6.0, < 4.1.29
Affected: >= 4.2.0, < 4.2.25 Affected: >= 4.3.0, < 4.3.8 |
|
| api-platform | api-platform/json-api |
Affected:
>= 2.6.0, < 4.1.29
Affected: >= 4.2.0, < 4.2.25 Affected: >= 4.3.0, < 4.3.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T12:19:58.405684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:20:09.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 4.1.29"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.25"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.8"
}
]
},
{
"product": "api-platform/hal",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 4.1.29"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.25"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.8"
}
]
},
{
"product": "api-platform/json-api",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 4.1.29"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.25"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\\JsonApi\\Serializer\\ItemNormalizer and ApiPlatform\\Hal\\Serializer\\ItemNormalizer are keyed on $context[\u0027cache_key\u0027], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T19:24:58.170Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23"
}
],
"source": {
"advisory": "GHSA-pjhx-3c3w-9v23",
"discovery": "UNKNOWN"
},
"title": "API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49858",
"datePublished": "2026-07-01T19:24:58.170Z",
"dateReserved": "2026-06-01T22:03:19.640Z",
"dateUpdated": "2026-07-02T12:20:09.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31485 (GCVE-0-2025-31485)
Vulnerability from nvd – Published: 2025-04-03 19:31 – Updated: 2025-04-08 13:15
VLAI
EPSS
VEX
Title
GraphQL grant on a property might be cached with different objects
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-696 - Incorrect Behavior Order
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/commit/7af65… | x_refsource_MISC |
| https://github.com/api-platform/core/commit/cba3a… | x_refsource_MISC |
| https://github.com/api-platform/core/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 4.0.0-alpha.1, < 4.0.22
Affected: < 3.4.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T19:59:34.529256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:59:57.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.0.22"
},
{
"status": "affected",
"version": "\u003c 3.4.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\\GraphQl\\Serializer\\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696: Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T13:15:23.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3"
},
{
"name": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8"
},
{
"name": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a"
},
{
"name": "https://github.com/api-platform/core/releases/tag/v3.4.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
}
],
"source": {
"advisory": "GHSA-428q-q3vv-3fq3",
"discovery": "UNKNOWN"
},
"title": "GraphQL grant on a property might be cached with different objects"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31485",
"datePublished": "2025-04-03T19:31:46.021Z",
"dateReserved": "2025-03-28T13:36:51.298Z",
"dateUpdated": "2025-04-08T13:15:23.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31481 (GCVE-0-2025-31481)
Vulnerability from nvd – Published: 2025-04-03 19:20 – Updated: 2025-04-08 13:14
VLAI
EPSS
VEX
Title
GraphQL query operations security can be bypassed
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/commit/55712… | x_refsource_MISC |
| https://github.com/api-platform/core/commit/60747… | x_refsource_MISC |
| https://github.com/api-platform/core/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 4.0.0, < 4.0.22
Affected: < 3.4.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31481",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T19:39:57.000917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:40:10.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.22"
},
{
"status": "affected",
"version": "\u003c 3.4.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T13:14:36.379Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m"
},
{
"name": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb"
},
{
"name": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568"
},
{
"name": "https://github.com/api-platform/core/releases/tag/v3.4.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
}
],
"source": {
"advisory": "GHSA-cg3c-245w-728m",
"discovery": "UNKNOWN"
},
"title": "GraphQL query operations security can be bypassed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31481",
"datePublished": "2025-04-03T19:20:22.916Z",
"dateReserved": "2025-03-28T13:36:51.297Z",
"dateUpdated": "2025-04-08T13:14:36.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47639 (GCVE-0-2023-47639)
Vulnerability from nvd – Published: 2025-04-03 16:46 – Updated: 2025-04-03 18:08
VLAI
EPSS
VEX
Title
API Platform Core can leak exceptions message that may contain sensitive information
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/pull/5823 | x_refsource_MISC |
| https://github.com/api-platform/core/commit/ba8a7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 3.2.0, < 3.2.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47639",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T18:08:11.190947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T18:08:26.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T16:46:13.632Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-rfw5-cqjj-7v9r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-rfw5-cqjj-7v9r"
},
{
"name": "https://github.com/api-platform/core/pull/5823",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/pull/5823"
},
{
"name": "https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201"
}
],
"source": {
"advisory": "GHSA-rfw5-cqjj-7v9r",
"discovery": "UNKNOWN"
},
"title": "API Platform Core can leak exceptions message that may contain sensitive information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47639",
"datePublished": "2025-04-03T16:46:13.632Z",
"dateReserved": "2023-11-07T16:57:49.245Z",
"dateUpdated": "2025-04-03T18:08:26.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23204 (GCVE-0-2025-23204)
Vulnerability from nvd – Published: 2025-03-24 15:53 – Updated: 2025-03-24 18:03
VLAI
EPSS
VEX
Title
GraphQl securityAfterResolver not called
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue.
Severity
4.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/pull/6444 | x_refsource_MISC |
| https://github.com/api-platform/core/pull/6444/fi… | x_refsource_MISC |
| https://github.com/api-platform/core/commit/dc4fc… | x_refsource_MISC |
| https://github.com/soyuka/core/blob/7e2e8f9ff322a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 3.3.8, < 3.3.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23204",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T18:03:40.928908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T18:03:54.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.8, \u003c 3.3.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there\u0027s no break in a clause. As this falls back to `security`, the impact is there only when there\u0027s only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T16:31:46.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3"
},
{
"name": "https://github.com/api-platform/core/pull/6444",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/pull/6444"
},
{
"name": "https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56"
},
{
"name": "https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620"
},
{
"name": "https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57"
}
],
"source": {
"advisory": "GHSA-7mxx-3cgm-xxv3",
"discovery": "UNKNOWN"
},
"title": "GraphQl securityAfterResolver not called"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-23204",
"datePublished": "2025-03-24T15:53:19.156Z",
"dateReserved": "2025-01-13T17:15:41.050Z",
"dateUpdated": "2025-03-24T18:03:54.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25575 (GCVE-0-2023-25575)
Vulnerability from nvd – Published: 2023-02-28 22:21 – Updated: 2025-03-07 18:36
VLAI
EPSS
VEX
Title
Secured properties in API Platform Core may be accessible within collections
Summary
API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. The JSON-LD format is not affected by the issue. The result of the security rule is only executed for the first item of the collection. The result of the rule is then cached and reused for the next items. This bug can leak data to unauthorized users when the rule depends on the value of a property of the item. This bug can also hide properties that should be displayed to authorized users. This issue impacts the 2.7, 3.0 and 3.1 branches. Please upgrade to versions 2.7.10, 3.0.12 or 3.1.3. As a workaround, replace the `cache_key` of the context array of the Serializer inside a custom normalizer that works on objects if the security option of the `ApiPlatform\Metadata\ApiProperty` attribute is used.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-842 - Placement of User into Incorrect Group
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/commit/5723d… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 3.0.0, < 3.0.12
Affected: >= 3.1.0, < 3.1.3 Affected: >= 2.6.0, < 2.7.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv"
},
{
"name": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25575",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T18:36:44.785754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T18:36:53.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.12"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.3"
},
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 2.7.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\\Metadata\\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. The JSON-LD format is not affected by the issue. The result of the security rule is only executed for the first item of the collection. The result of the rule is then cached and reused for the next items. This bug can leak data to unauthorized users when the rule depends on the value of a property of the item. This bug can also hide properties that should be displayed to authorized users. This issue impacts the 2.7, 3.0 and 3.1 branches. Please upgrade to versions 2.7.10, 3.0.12 or 3.1.3. As a workaround, replace the `cache_key` of the context array of the Serializer inside a custom normalizer that works on objects if the security option of the `ApiPlatform\\Metadata\\ApiProperty` attribute is used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-842",
"description": "CWE-842: Placement of User into Incorrect Group",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-28T22:21:48.730Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv"
},
{
"name": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb"
}
],
"source": {
"advisory": "GHSA-vr2x-7687-h6qv",
"discovery": "UNKNOWN"
},
"title": "Secured properties in API Platform Core may be accessible within collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25575",
"datePublished": "2023-02-28T22:21:48.730Z",
"dateReserved": "2023-02-07T17:10:00.742Z",
"dateUpdated": "2025-03-07T18:36:53.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1000011 (GCVE-0-2019-1000011)
Vulnerability from nvd – Published: 2019-02-04 21:00 – Updated: 2024-08-05 03:00
VLAI
EPSS
VEX
Summary
API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/issues/2364 | x_refsource_MISC |
| https://github.com/api-platform/core/pull/2441 | x_refsource_MISC |
Date Public
2019-02-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/api-platform/core/issues/2364"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/api-platform/core/pull/2441"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2019-01-22T00:00:00.000Z",
"datePublic": "2019-02-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-04T20:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/issues/2364"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/pull/2441"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2019-01-22T21:21:10.019708",
"DATE_REQUESTED": "2019-01-15T15:30:38",
"ID": "CVE-2019-1000011",
"REQUESTER": "dunglas@gmail.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/api-platform/core/issues/2364",
"refsource": "MISC",
"url": "https://github.com/api-platform/core/issues/2364"
},
{
"name": "https://github.com/api-platform/core/pull/2441",
"refsource": "MISC",
"url": "https://github.com/api-platform/core/pull/2441"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-1000011",
"datePublished": "2019-02-04T21:00:00.000Z",
"dateReserved": "2019-01-15T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:00:19.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-49858 (GCVE-0-2026-49858)
Vulnerability from cvelistv5 – Published: 2026-07-01 19:24 – Updated: 2026-07-02 12:20
VLAI
EPSS
VEX
Title
API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 2.6.0, < 4.1.29
Affected: >= 4.2.0, < 4.2.25 Affected: >= 4.3.0, < 4.3.8 |
|
| api-platform | api-platform/hal |
Affected:
>= 2.6.0, < 4.1.29
Affected: >= 4.2.0, < 4.2.25 Affected: >= 4.3.0, < 4.3.8 |
|
| api-platform | api-platform/json-api |
Affected:
>= 2.6.0, < 4.1.29
Affected: >= 4.2.0, < 4.2.25 Affected: >= 4.3.0, < 4.3.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T12:19:58.405684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:20:09.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 4.1.29"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.25"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.8"
}
]
},
{
"product": "api-platform/hal",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 4.1.29"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.25"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.8"
}
]
},
{
"product": "api-platform/json-api",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 4.1.29"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.25"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\\JsonApi\\Serializer\\ItemNormalizer and ApiPlatform\\Hal\\Serializer\\ItemNormalizer are keyed on $context[\u0027cache_key\u0027], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T19:24:58.170Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23"
}
],
"source": {
"advisory": "GHSA-pjhx-3c3w-9v23",
"discovery": "UNKNOWN"
},
"title": "API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49858",
"datePublished": "2026-07-01T19:24:58.170Z",
"dateReserved": "2026-06-01T22:03:19.640Z",
"dateUpdated": "2026-07-02T12:20:09.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54164 (GCVE-0-2026-54164)
Vulnerability from cvelistv5 – Published: 2026-07-01 19:14 – Updated: 2026-07-02 15:50
VLAI
EPSS
VEX
Title
API Platform Core: Missing IRI type check enables resource type confusion
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation's declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
< 4.1.30
Affected: >= 4.2.0, < 4.2.26 Affected: >= 4.3.0, < 4.3.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54164",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T15:50:13.142519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T15:50:25.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.30"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.26"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer\u0027s AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation\u0027s declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony\u0027s PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T19:14:28.770Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h"
}
],
"source": {
"advisory": "GHSA-9rjg-x2p2-h68h",
"discovery": "UNKNOWN"
},
"title": "API Platform Core: Missing IRI type check enables resource type confusion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54164",
"datePublished": "2026-07-01T19:14:28.770Z",
"dateReserved": "2026-06-11T21:46:52.380Z",
"dateUpdated": "2026-07-02T15:50:25.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31485 (GCVE-0-2025-31485)
Vulnerability from cvelistv5 – Published: 2025-04-03 19:31 – Updated: 2025-04-08 13:15
VLAI
EPSS
VEX
Title
GraphQL grant on a property might be cached with different objects
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-696 - Incorrect Behavior Order
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/commit/7af65… | x_refsource_MISC |
| https://github.com/api-platform/core/commit/cba3a… | x_refsource_MISC |
| https://github.com/api-platform/core/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 4.0.0-alpha.1, < 4.0.22
Affected: < 3.4.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T19:59:34.529256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:59:57.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.0.22"
},
{
"status": "affected",
"version": "\u003c 3.4.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\\GraphQl\\Serializer\\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696: Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T13:15:23.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3"
},
{
"name": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8"
},
{
"name": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a"
},
{
"name": "https://github.com/api-platform/core/releases/tag/v3.4.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
}
],
"source": {
"advisory": "GHSA-428q-q3vv-3fq3",
"discovery": "UNKNOWN"
},
"title": "GraphQL grant on a property might be cached with different objects"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31485",
"datePublished": "2025-04-03T19:31:46.021Z",
"dateReserved": "2025-03-28T13:36:51.298Z",
"dateUpdated": "2025-04-08T13:15:23.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31481 (GCVE-0-2025-31481)
Vulnerability from cvelistv5 – Published: 2025-04-03 19:20 – Updated: 2025-04-08 13:14
VLAI
EPSS
VEX
Title
GraphQL query operations security can be bypassed
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/commit/55712… | x_refsource_MISC |
| https://github.com/api-platform/core/commit/60747… | x_refsource_MISC |
| https://github.com/api-platform/core/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 4.0.0, < 4.0.22
Affected: < 3.4.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31481",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T19:39:57.000917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:40:10.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.22"
},
{
"status": "affected",
"version": "\u003c 3.4.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T13:14:36.379Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m"
},
{
"name": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb"
},
{
"name": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568"
},
{
"name": "https://github.com/api-platform/core/releases/tag/v3.4.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
}
],
"source": {
"advisory": "GHSA-cg3c-245w-728m",
"discovery": "UNKNOWN"
},
"title": "GraphQL query operations security can be bypassed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31481",
"datePublished": "2025-04-03T19:20:22.916Z",
"dateReserved": "2025-03-28T13:36:51.297Z",
"dateUpdated": "2025-04-08T13:14:36.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47639 (GCVE-0-2023-47639)
Vulnerability from cvelistv5 – Published: 2025-04-03 16:46 – Updated: 2025-04-03 18:08
VLAI
EPSS
VEX
Title
API Platform Core can leak exceptions message that may contain sensitive information
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/pull/5823 | x_refsource_MISC |
| https://github.com/api-platform/core/commit/ba8a7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 3.2.0, < 3.2.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47639",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T18:08:11.190947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T18:08:26.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T16:46:13.632Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-rfw5-cqjj-7v9r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-rfw5-cqjj-7v9r"
},
{
"name": "https://github.com/api-platform/core/pull/5823",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/pull/5823"
},
{
"name": "https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201"
}
],
"source": {
"advisory": "GHSA-rfw5-cqjj-7v9r",
"discovery": "UNKNOWN"
},
"title": "API Platform Core can leak exceptions message that may contain sensitive information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47639",
"datePublished": "2025-04-03T16:46:13.632Z",
"dateReserved": "2023-11-07T16:57:49.245Z",
"dateUpdated": "2025-04-03T18:08:26.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23204 (GCVE-0-2025-23204)
Vulnerability from cvelistv5 – Published: 2025-03-24 15:53 – Updated: 2025-03-24 18:03
VLAI
EPSS
VEX
Title
GraphQl securityAfterResolver not called
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue.
Severity
4.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/pull/6444 | x_refsource_MISC |
| https://github.com/api-platform/core/pull/6444/fi… | x_refsource_MISC |
| https://github.com/api-platform/core/commit/dc4fc… | x_refsource_MISC |
| https://github.com/soyuka/core/blob/7e2e8f9ff322a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 3.3.8, < 3.3.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23204",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T18:03:40.928908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T18:03:54.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.8, \u003c 3.3.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there\u0027s no break in a clause. As this falls back to `security`, the impact is there only when there\u0027s only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T16:31:46.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3"
},
{
"name": "https://github.com/api-platform/core/pull/6444",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/pull/6444"
},
{
"name": "https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56"
},
{
"name": "https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620"
},
{
"name": "https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57"
}
],
"source": {
"advisory": "GHSA-7mxx-3cgm-xxv3",
"discovery": "UNKNOWN"
},
"title": "GraphQl securityAfterResolver not called"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-23204",
"datePublished": "2025-03-24T15:53:19.156Z",
"dateReserved": "2025-01-13T17:15:41.050Z",
"dateUpdated": "2025-03-24T18:03:54.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25575 (GCVE-0-2023-25575)
Vulnerability from cvelistv5 – Published: 2023-02-28 22:21 – Updated: 2025-03-07 18:36
VLAI
EPSS
VEX
Title
Secured properties in API Platform Core may be accessible within collections
Summary
API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. The JSON-LD format is not affected by the issue. The result of the security rule is only executed for the first item of the collection. The result of the rule is then cached and reused for the next items. This bug can leak data to unauthorized users when the rule depends on the value of a property of the item. This bug can also hide properties that should be displayed to authorized users. This issue impacts the 2.7, 3.0 and 3.1 branches. Please upgrade to versions 2.7.10, 3.0.12 or 3.1.3. As a workaround, replace the `cache_key` of the context array of the Serializer inside a custom normalizer that works on objects if the security option of the `ApiPlatform\Metadata\ApiProperty` attribute is used.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-842 - Placement of User into Incorrect Group
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/commit/5723d… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 3.0.0, < 3.0.12
Affected: >= 3.1.0, < 3.1.3 Affected: >= 2.6.0, < 2.7.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv"
},
{
"name": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25575",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T18:36:44.785754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T18:36:53.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.12"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.3"
},
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 2.7.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\\Metadata\\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. The JSON-LD format is not affected by the issue. The result of the security rule is only executed for the first item of the collection. The result of the rule is then cached and reused for the next items. This bug can leak data to unauthorized users when the rule depends on the value of a property of the item. This bug can also hide properties that should be displayed to authorized users. This issue impacts the 2.7, 3.0 and 3.1 branches. Please upgrade to versions 2.7.10, 3.0.12 or 3.1.3. As a workaround, replace the `cache_key` of the context array of the Serializer inside a custom normalizer that works on objects if the security option of the `ApiPlatform\\Metadata\\ApiProperty` attribute is used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-842",
"description": "CWE-842: Placement of User into Incorrect Group",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-28T22:21:48.730Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv"
},
{
"name": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb"
}
],
"source": {
"advisory": "GHSA-vr2x-7687-h6qv",
"discovery": "UNKNOWN"
},
"title": "Secured properties in API Platform Core may be accessible within collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25575",
"datePublished": "2023-02-28T22:21:48.730Z",
"dateReserved": "2023-02-07T17:10:00.742Z",
"dateUpdated": "2025-03-07T18:36:53.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1000011 (GCVE-0-2019-1000011)
Vulnerability from cvelistv5 – Published: 2019-02-04 21:00 – Updated: 2024-08-05 03:00
VLAI
EPSS
VEX
Summary
API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/issues/2364 | x_refsource_MISC |
| https://github.com/api-platform/core/pull/2441 | x_refsource_MISC |
Date Public
2019-02-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/api-platform/core/issues/2364"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/api-platform/core/pull/2441"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2019-01-22T00:00:00.000Z",
"datePublic": "2019-02-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-04T20:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/issues/2364"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/pull/2441"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2019-01-22T21:21:10.019708",
"DATE_REQUESTED": "2019-01-15T15:30:38",
"ID": "CVE-2019-1000011",
"REQUESTER": "dunglas@gmail.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/api-platform/core/issues/2364",
"refsource": "MISC",
"url": "https://github.com/api-platform/core/issues/2364"
},
{
"name": "https://github.com/api-platform/core/pull/2441",
"refsource": "MISC",
"url": "https://github.com/api-platform/core/pull/2441"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-1000011",
"datePublished": "2019-02-04T21:00:00.000Z",
"dateReserved": "2019-01-15T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:00:19.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}