Packagist (Composer) package
api-platform/core
pkg:composer/api-platform/core
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-31485 | Hig | 7.5 | >= 4.0.0-alpha.1, < 4.0.22 | 4.0.22 | Apr 3, 2025 | API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the ca | |
| CVE-2025-31481 | Hig | 7.5 | >= 4.0.0-alpha.1, < 4.0.22 | 4.0.22 | Apr 3, 2025 | API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17. | |
| CVE-2023-47639 | Med | 5.3 | >= 3.2.0, < 3.2.5 | 3.2.5 | Apr 3, 2025 | API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5. | |
| CVE-2025-23204 | Med | 4.4 | >= 3.3.8, < 3.3.15 | 3.3.15 | Mar 24, 2025 | API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is | |
| CVE-2023-25575 | — | >= 3.0.0, < 3.0.12 | 3.0.12 | Feb 28, 2023 | API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization format | ||
| CVE-2019-1000011 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Feb 4, 2019 | API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This v |
- affected >= 4.0.0-alpha.1, < 4.0.22fixed 4.0.22
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the ca
- affected >= 4.0.0-alpha.1, < 4.0.22fixed 4.0.22
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.
- affected >= 3.2.0, < 3.2.5fixed 3.2.5
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5.
- affected >= 3.3.8, < 3.3.15fixed 3.3.15
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is
- CVE-2023-25575Feb 28, 2023affected >= 3.0.0, < 3.0.12fixed 3.0.12
API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization format
- CVE-2019-1000011Feb 4, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This v