Cachability Issue in API Platform Core Affecting GraphQL APIs
CVE-2025-31485

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
3 April 2025

What is CVE-2025-31485?

API Platform Core, designed for building hypermedia-driven REST and GraphQL APIs, has a vulnerability where a GraphQL grant on a property may be incorrectly cached with different objects before version 4.0.22. The method ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() intends to protect against unsafe caching; however, due to the implementation of the parent::normalize method, a cache key is still generated, leading to potential cache-related problems. This flaw has been addressed in version 4.0.22.

Affected Version(s)

core >= 4.0.0-alpha.1, < 4.0.22 < 4.0.0-alpha.1, 4.0.22

core < 3.4.17 < 3.4.17

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.