CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31485 – GraphQL grant on a property might be cached with different objects
https://notcve.org/view.php?id=CVE-2025-31485
03 Apr 2025 — API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22. API Platform Core es un sistema para crear API REST y GraphQL basadas en hipermedia. • https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8 • CWE-696: Incorrect Behavior Order •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31481 – GraphQL query operations security can be bypassed
https://notcve.org/view.php?id=CVE-2025-31481
03 Apr 2025 — API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22. API Platform Core es un sistema para crear API REST y GraphQL basadas en hipermedia. Mediante el tipo de nodo especial Relay, se puede eludir la seguridad configurada en una operación. • https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47639 – API Platform Core can leak exceptions message that may contain sensitive information
https://notcve.org/view.php?id=CVE-2023-47639
03 Apr 2025 — API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5. API Platform Core es un sistema para crear API REST y GraphQL basadas en hipermedia. Desde la versión 3.2.0 hasta la 3.2.4, los mensajes de excepción que no son excepciones HTTP son visibles en la respuesta de error JSON. • https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23204 – GraphQl securityAfterResolver not called
https://notcve.org/view.php?id=CVE-2025-23204
24 Mar 2025 — API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue. • https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620 • CWE-20: Improper Input Validation •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-25575 – Secured properties in API Platform Core may be accessible within collections
https://notcve.org/view.php?id=CVE-2023-25575
28 Feb 2023 — API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. • https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb • CWE-842: Placement of User into Incorrect Group CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1000011
https://notcve.org/view.php?id=CVE-2019-1000011
04 Feb 2019 — API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6. API Platform, desde la versión 2.2.0 hasta la 2.3.5, contiene una vulnerabilidad de control de acceso incorrecto en las mutaciones de borrado de GraphQL que puede resultar en que un ... • https://github.com/api-platform/core/issues/2364 •