CVE-2025-23204

EPSS 0.13%
Veröffentlicht 24.03.2025 15:53:19
Zuletzt bearbeitet 27.03.2025 16:45:46
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerapi-platform

≫

Produkt core

Version >= 3.3.8, < 3.3.15

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.338

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.4	1.3	2.7	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3

https://github.com/api-platform/core/pull/6444

https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56

https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57

https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620

https://nvd.nist.gov/vuln/detail/CVE-2025-23204

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-23204

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-23204

EUVD