CVE-2025-31485
GraphQL grant on a property might be cached with different objects
In short
API Platform Core has a caching bug where GraphQL permission checks on properties can be incorrectly reused for different objects, potentially allowing unauthorized access to data that should be restricted.
Technical detail
The ItemNormalizer::isCacheKeySafe() method fails to prevent cache key generation for GraphQL field-level authorization checks; the parent normalize() method still creates the cache entry, causing permission decisions from one object to be applied to another object in subsequent requests.
Summary generated and translated by AI from the official description.
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
api-platform · coreWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696ahttps://github.com/api-platform/core/releases/tag/v3.4.17https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3