Vulnerability DatabaseCVE-2025-23204
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-23204
March 24, 2025
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to "security", the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue.
Affected Packages
api-platform/core (PHP):
Affected version(s) >=v3.3.8 <v3.3.15
Fix Suggestion:
Update to version v3.3.15
Related ResourcesĀ (7)
https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57
https://github.com/api-platform/core/pull/6444
https://github.com/api-platform/core
https://nvd.nist.gov/vuln/detail/CVE-2025-23204
https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620
https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56
https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Omitted Break Statement in Switch
CWE-484
Improper Input Validation
CWE-20
EPSS
Base Score:
0.14