API Platform GraphQL Relay Node Security Bypass Vulnerability

A vulnerability in API Platform Core's GraphQL implementation allows users to bypass security checks on certain operations. This issue arises when using the Relay 'node' field, which can be exploited to access resources without proper authorization. The vulnerability affects API Platform Core versions prior to 4.0.21 and 3.4.16, and is present in the GraphQL component of the API Platform ecosystem.

Impact

Exploitation of this vulnerability allows unauthorized access to GraphQL resources, bypassing defined security measures. This could lead to unauthorized data exposure or manipulation, depending on the accessed resources.

Reproduction

To reproduce this vulnerability, create a GraphQL query that uses the Relay 'node' field to access a resource. This can be done by sending a query that includes the 'node' field with an identifier for the resource, bypassing any security checks that would normally apply to a standard query operation.

Remediation

Users can upgrade to API Platform Core versions 4.0.22 or 3.4.17 to address this vulnerability.