CVE-2025-23204
GraphQl securityAfterResolver not called
In short
A security check in GraphQL APIs is being skipped due to a missing break statement, allowing requests that should be denied to pass through when certain security conditions are set.
Technical detail
A control flow vulnerability in API Platform Core (v3.3.8+) causes the securityAfterResolver check to be overwritten without a break statement in a switch/conditional clause. This impacts authorization enforcement only when security rules are defined exclusively in the afterResolver hook without corresponding security constraints in the main security layer, potentially allowing unauthorized access to protected resolvers.
Summary generated and translated by AI from the official description.
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Affected products
api-platform · coreWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620https://github.com/api-platform/core/pull/6444https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57