API Platform Core GraphQL Cache Key Vulnerability Allowing Improper Access Grants

A vulnerability exists in API Platform Core's GraphQL implementation, specifically in versions prior to 4.0.22 and 3.4.16. The issue arises because security grants on properties can be cached with different objects, leading to incorrect access permissions. The problem is rooted in the ItemNormalizer's caching mechanism, which fails to properly account for variations in object instances. As a result, properties may be exposed or restricted incorrectly, depending on the cached context.

Impact

This vulnerability can lead to unauthorized access to GraphQL properties, allowing users to read data they should not have permission to access.

Reproduction

To reproduce this vulnerability, apply a security grant to a property using the ApiProperty annotation in a GraphQL query. The grant will be cached and evaluated only once, regardless of whether the object has changed. This can be tested by creating multiple instances of an object with different property values and observing that the cached grant does not reflect these changes.

Remediation

Users can update to API Platform Core versions 4.0.22 or 3.4.17, both of which include the necessary fix. Instructions for updating can be found in the API Platform documentation.