98 matches found
Information Exposure
Overview api-platform/core is a builds a fully-featured hypermedia or GraphQL API in minutes. Affected versions of this package are vulnerable to Information Exposure through the JSON error response. An attacker can obtain sensitive information by exploiting the visibility of exception messages...
CVE-2023-47639
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5...
CVE-2023-47639
CVE-2023-47639 affects API Platform Core. From versions 3.2.0 through 3.2.4, exception messages that are not HTTP exceptions are exposed in the JSON error response, potentially leaking sensitive internal information. The issue is resolved in version 3.2.5. Affected component is API Platform Core’...
CVE-2023-47639 API Platform Core can leak exceptions message that may contain sensitive information
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5...
CVE-2023-47639 API Platform Core can leak exceptions message that may contain sensitive information
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5...
CVE-2023-47639 API Platform Core can leak exceptions message that may contain sensitive information
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5...
GHSA-RFW5-CQJJ-7V9R API Platform Core can leak exceptions message that may contain sensitive information
Summary Exception messages, that are not HTTP exceptions, are visible in the JSON error response. Details While we wanted to make our errors compatible with the JSON Problem specification, we ended up handling more exceptions then we did previously introduced at...
API Platform Core can leak exceptions message that may contain sensitive information
Summary Exception messages, that are not HTTP exceptions, are visible in the JSON error response. Details While we wanted to make our errors compatible with the JSON Problem specification, we ended up handling more exceptions then we did previously introduced at...
Improper Security Check Handling
api-platform/core is vulnerable to Improper Security Check Handling. The vulnerability is due to a missing break statement in the security check logic, caused by a fallback mechanism that replaces the intended security check after GraphQL resolvers. It allows an attacker to bypass intended securi...
PT-2025-14796 · Unknown · Api Platform Core
Name of the Vulnerable Software and Affected Versions: API Platform Core versions prior to 4.0.22 Description: The issue concerns a caching problem in GraphQL grants on properties, which can lead to incorrect caching with different objects. The...
API Platform Core 安全漏洞
API Platform Core is a server component of API Platform open source by API Platform. A security vulnerability exists in API Platform Core version 3.2.0 that stems from a non-HTTP exception message being visible in a JSON error response...
API Platform Core 安全漏洞
API Platform Core is a server component of API Platform open source by API Platform. A security vulnerability exists in API Platform Core versions prior to 4.0.21 that stems from a GraphQL license that may cache different objects...
PT-2025-14792
Name of the Vulnerable Software and Affected Versions API Platform Core versions prior to 4.0.22 Description The issue allows bypassing configured security on an operation using the Relay special node type in hypermedia-driven REST and GraphQL APIs. Recommendations For versions prior to 4.0.22,...
GHSA-7MXX-3CGM-XXV3 API Platform Core does not call GraphQl securityAfterResolver
Summary A security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in this clause: https://github.com/api-platform/core/pull/6444/filesdiff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56...
API Platform Core does not call GraphQl securityAfterResolver
Summary A security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in this clause: https://github.com/api-platform/core/pull/6444/filesdiff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56...
CVE-2025-23204
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...
CVE-2025-23204 GraphQl securityAfterResolver not called
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...
CVE-2025-23204
The CVE affects api-platform/core. Starting in version 3.3.8, a logic flaw in the GraphQL security flow is caused by an omitted break in the AccessCheckerProvider switch that is supposed to run after GraphQL resolvers; this fallback can bypass security checks if there is only a post-resolver secu...
CVE-2025-23204 GraphQl securityAfterResolver not called
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...
CVE-2024-2796
A server-side request forgery SSRF was discovered in the Akana API Platform in versions prior to and including 2022.1.3. Reported by Jakob Antonsson...