7.5
CVE-2025-31485
- EPSS 0.41%
- Veröffentlicht 03.04.2025 19:31:46
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
GraphQL grant on a property might be cached with different objects
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerapi-platform
≫
Produkt
core
Version
>= 4.0.0-alpha.1, < 4.0.22
Status
affected
Version
< 3.4.17
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.41% | 0.327 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-696 Incorrect Behavior Order
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.
https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3
https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8
https://github.com/api-platform/core/releases/tag/v3.4.17
https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a