Home > Vulnerability Database > CVE-2025-23204

Mend.io Vulnerability Database

CVE-2025-23204

Good to know:

Date: March 24, 2025

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to "security", the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue.

Severity Score

4.4

Related Resources (8)

Url: https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620

Url: https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-23204

Url: https://github.com/api-platform/core

Url: https://github.com/api-platform/core/pull/6444

Url: https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56

Url: https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3

Url: https://www.mend.io/vulnerability-database/CVE-2025-23204

Severity Score

4.4

Weakness Type (CWE)

Improper Input Validation

CWE-20

Omitted Break Statement in Switch

CWE-484

Top Fix

Upgrade Version

Upgrade to version api-platform/core - v3.3.15

Learn More

CVSS v3.1

Base Score:	4.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-23204

Good to know:

Date: March 24, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?