api-platform/core Security Advisories (7)
-
[MEDIUM] API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
PKSA-3ncz-km6v-5vjr CVE-2026-49858 GHSA-pjhx-3c3w-9v23
Affected version: >=4.3.0,<4.3.8|>=4.2.0,<4.2.25|>=2.6.0,<4.1.29
Reported by:
GitHub -
[HIGH] GraphQL grant on a property might be cached with different objects
PKSA-gs8r-6kz6-pp56 CVE-2025-31485 GHSA-428q-q3vv-3fq3
Affected version: <3.4.17|>=4.0.0,<4.0.22|>=4.1.0,<4.1.5
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] GraphQL query operations security can be bypassed
PKSA-gnn4-pxdg-q76m CVE-2025-31481 GHSA-cg3c-245w-728m
Affected version: <3.4.17|>=4.0.0,<4.0.22|>=4.1.0,<4.1.5
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] API Platform Core can leak exceptions message that may contain sensitive information
PKSA-q2bp-c9gn-wy37 CVE-2023-47639 GHSA-rfw5-cqjj-7v9r
Affected version: >=3.2.0,<3.2.5
Reported by:
GitHub -
[MEDIUM] API Platform Core does not call GraphQl securityAfterResolver
PKSA-jms4-fggn-5mmn CVE-2025-23204 GHSA-7mxx-3cgm-xxv3
Affected version: >=3.3.8,<3.3.15
Reported by:
GitHub -
[HIGH] CVE-2023-25575: Secured properties may be accessible within collections
PKSA-dsd6-6541-26zs CVE-2023-25575 GHSA-vr2x-7687-h6qv
Affected version: >=2.6.0,<2.7.10|>=3.0.0,<3.0.12|>=3.1.0,<3.1.3
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] CVE-2019-1000011: Access control bypass in GraphQL mutations
PKSA-2j74-htpf-prz8 CVE-2019-1000011 GHSA-974j-wjxx-wggj
Affected version: >=2.2.0,<2.2.10|>=2.3.0,<2.3.6
Reported by:
FriendsOfPHP/security-advisories, GitHub