Описание
GraphQL query operations security can be bypassed
Summary
Using the Relay special node type you can bypass the configured security on an operation.
Details
Here is an example of how to apply security configurations for the GraphQL operations:
This indeed checks is_granted('ROLE_USER') as expected for a GraphQL query like the following:
But the security check can be bypassed by using the node field (that is available by default) on the root query type like that:
This does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API.
Impact
Everyone using GraphQl with the security attribute. Not sure whereas this works with custom resolvers nor if this also applies on mutation.
Patched at https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568
Ссылки
- https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m
- https://nvd.nist.gov/vuln/detail/CVE-2025-31481
- https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb
- https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568
- https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2025-31481.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/graphql/CVE-2025-31481.yaml
- https://github.com/api-platform/core/releases/tag/v3.4.17
- https://github.com/api-platform/core/releases/tag/v4.1.5
Пакеты
api-platform/graphql
>= 4.0.0-alpha.1, < 4.0.22
4.0.22
api-platform/core
>= 4.0.0-alpha.1, < 4.0.22
4.0.22
api-platform/graphql
< 3.4.17
3.4.17
api-platform/core
< 3.4.17
3.4.17
api-platform/graphql
>= 4.1.0-alpha.1, < 4.1.5
4.1.5
api-platform/core
>= 4.1.0-alpha.1, < 4.1.5
4.1.5
Связанные уязвимости
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.