Medium severity4.4OSV Advisory· Published Mar 24, 2025· Updated Apr 15, 2026
CVE-2025-23204
CVE-2025-23204
Description
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
api-platform/corePackagist | >= 3.3.8, < 3.3.15 | 3.3.15 |
Affected products
2- Range: v3.3.10, v3.3.11, v3.3.12, …
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-7mxx-3cgm-xxv3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-23204ghsaADVISORY
- github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620nvdWEB
- github.com/api-platform/core/pull/6444nvdWEB
- github.com/api-platform/core/pull/6444/filesnvdWEB
- github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3nvdWEB
- github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.phpnvdWEB
News mentions
0No linked articles in our index yet.