api-platform/core
Moderate fix1 remedy
cpe:2.3:a:api-platform:core:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 3.2.0, <= 3.2.4
API Platform Core Exception Message Leak in JSON Error Response
Vulnerability
Patched
A vulnerability exists in API Platform Core versions 3.2.0 prior to 3.2.5, where exception messages, excluding HTTP exceptions, are exposed in the JSON error response. This issue arises from an improper handling of exceptions while attempting to align with the JSON Problem specification, leading to the serialization of sensitive exception details that should have been managed by Symfony. Although the stack trace is omitted in production, the exception message can reveal sensitive information.
Impact
The vulnerability allows for the unintentional disclosure of exception messages in the JSON error response, which may contain sensitive information.
Reproduction
To reproduce this vulnerability, use API Platform Core version 3.2.0 through 3.2.4. Trigger an exception that is not an HTTP exception, such as an authentication exception due to unreachable LDAP, and observe the JSON response, which will include the exception message.
Remediation
Users can upgrade to API Platform Core version 3.2.5 to address this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
2.5exploitability
9.7remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.