Cachability Issue in API Platform Core Affecting GraphQL APIs
CVE-2025-31485
7.5HIGH
What is CVE-2025-31485?
API Platform Core, designed for building hypermedia-driven REST and GraphQL APIs, has a vulnerability where a GraphQL grant on a property may be incorrectly cached with different objects before version 4.0.22. The method ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() intends to protect against unsafe caching; however, due to the implementation of the parent::normalize method, a cache key is still generated, leading to potential cache-related problems. This flaw has been addressed in version 4.0.22.
Affected Version(s)
core >= 4.0.0-alpha.1, < 4.0.22 < 4.0.0-alpha.1, 4.0.22
core < 3.4.17 < 3.4.17
