We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-31485

GraphQL grant on a property might be cached with different objects



Description

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.

Reserved 2025-03-28 | Published 2025-04-03 | Updated 2025-04-08 | Assigner GitHub_M


HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-696: Incorrect Behavior Order

Product status

>= 4.0.0-alpha.1, < 4.0.22
affected

< 3.4.17
affected

References

github.com/...m/core/security/advisories/GHSA-428q-q3vv-3fq3

github.com/...ommit/7af65aad13037d7649348ee3dcd88e084ef771f8

github.com/...ommit/cba3acfbd517763cf320167250c5bed6d569696a

github.com/api-platform/core/releases/tag/v3.4.17

cve.org (CVE-2025-31485)

nvd.nist.gov (CVE-2025-31485)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-31485

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.