api-platform/core
Moderate fix1 remedy
cpe:2.3:a:api-platform:core:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 3.3.8
API Platform Core Security Vulnerability in GraphQL Resolvers
Vulnerability
Patched
A vulnerability exists in API Platform Core versions 3.3.8 and later, where a security check intended to be applied after GraphQL resolvers is improperly managed. The issue arises because there is no interruption in the processing clause, causing the security check to default to a broader 'security' category. This flaw creates a potential risk when only the security check after the resolver is present, without any internal security checks. The vulnerability has been addressed in version 3.3.15.
Impact
Exploitation of this vulnerability could lead to improper handling of security checks in GraphQL operations, potentially allowing unauthorized access or actions.
Reproduction
To reproduce this vulnerability, create a GraphQL endpoint that includes a security check to be applied after the resolver. Then, send a request that triggers this endpoint, ensuring that the security check after the resolver is the only one being applied.
Remediation
Users can update to API Platform Core version 3.3.15 or later, where this vulnerability has been patched.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
5.0exploitability
6.8remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.