7.5

CVE-2025-31485

EPSS 0.03%
Veröffentlicht 03.04.2025 19:31:46
Zuletzt bearbeitet 08.04.2025 14:15:35
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerapi-platform

≫

Produkt core

Version >= 4.0.0-alpha.1, < 4.0.22

Status affected

Version < 3.4.17

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.064

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-696 Incorrect Behavior Order

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3

https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8

https://github.com/api-platform/core/releases/tag/v3.4.17

https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a

https://nvd.nist.gov/vuln/detail/CVE-2025-31485

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-31485

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-31485

EUVD