Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS00MjhxLXEzdnYtM2ZxM84ABGat

High EPSS: 0.00046% (0.13746 Percentile) EPSS:
Permalink JSON

GraphQL grant on a property might be cached with different objects

Affected Packages Affected Versions Fixed Versions
packagist:api-platform/core >= 4.0.0-alpha.1, < 4.0.22, < 3.4.17 4.0.22, 3.4.17
254 Dependent packages
4,312 Dependent repositories
40,908,723 Downloads total

Affected Version Ranges

All affected versions

1.0.0, 1.0.1, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.7.13, 2.7.14, 2.7.15, 2.7.16, 2.7.17, 2.7.18, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.23, 3.2.24, 3.2.25, 3.2.26, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.3.14, 3.3.15, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.4.11, 3.4.14, 3.4.15, 3.4.16, 4.0.0, 4.0.0-alpha.1, 4.0.0-alpha.2, 4.0.0-alpha.3, 4.0.0-alpha.4, 4.0.0-alpha.5, 4.0.0-alpha.6, 4.0.0-alpha.7, 4.0.0-beta.1, 4.0.0-beta.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.0.20, 4.0.21

All unaffected versions

3.4.17, 4.0.22, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.14, 4.1.15, 4.1.16, 4.1.17, 4.1.18, 4.1.19, 4.1.20
packagist:api-platform/graphql >= 4.0.0-alpha.1, < 4.0.22, < 3.4.17 4.0.22, 3.4.17
1 Dependent packages
1 Dependent repositories
49,425 Downloads total

Affected Version Ranges

All affected versions

3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.25, 3.3.3, 3.3.4, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.11, 3.3.13, 3.3.14, 3.3.15, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.4.11, 3.4.13, 3.4.14, 3.4.15, 3.4.16, 4.0.0, 4.0.0-alpha.1, 4.0.0-alpha.2, 4.0.0-alpha.3, 4.0.0-alpha.4, 4.0.0-alpha.5, 4.0.0-alpha.6, 4.0.0-alpha.7, 4.0.0-beta.1, 4.0.0-beta.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.0.20, 4.0.21

All unaffected versions

3.4.17, 4.0.22, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.14, 4.1.15, 4.1.16, 4.1.17, 4.1.18, 4.1.19

Original message:

I found an issue with security grants on on properties in the GraphQL ItemNormalizer:

If you use something like #[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')] on a member of an entity, the grant gets cached and is only evaluated once, even if the object in question is a different one.

There is the ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164
and in its usage on line 90 it does indeed not create a cache key, but the parent::normalize() that is called afterwards still creates the cache key and causes the issue.

Impact

It grants access to properties that it should not.

Workarounds

Override the ItemNormalizer.

Patched at: https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8

References:

Identifiers

GHSA-428q-q3vv-3fq3

CVE-2025-31485

Risk

Severity

High

EPSS

EPSS Percentage: 0.00046

EPSS Percentile: 0.13746

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/api-platform/core

Date and time

Published

4 months ago

Updated

4 months ago

API

JSON