GHSA-CG3C-245W-728M
Vulnerability from github – Published: 2025-04-04 14:07 – Updated: 2025-08-29 21:07
VLAI?
Summary
GraphQL query operations security can be bypassed
Details
Summary
Using the Relay special node type you can bypass the configured security on an operation.
Details
Here is an example of how to apply security configurations for the GraphQL operations:
#[ApiResource(
security: "is_granted('ROLE_USER')",
operations: [ /* ... */ ],
graphQlOperations: [
new Query(security: "is_granted('ROLE_USER')"),
//...
],
)]
class Book { /* ... */ }
This indeed checks is_granted('ROLE_USER') as expected for a GraphQL query like the following:
query {
book(id: "/books/1") {
title
}
}
But the security check can be bypassed by using the node field (that is available by default) on the root query type like that:
query {
node(id: "/books/1") {
... on Book {
title
}
}
}
This does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API.
Impact
Everyone using GraphQl with the security attribute. Not sure whereas this works with custom resolvers nor if this also applies on mutation.
Patched at https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-alpha.1"
},
{
"fixed": "4.0.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-alpha.1"
},
{
"fixed": "4.0.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0-alpha.1"
},
{
"fixed": "4.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/core"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0-alpha.1"
},
{
"fixed": "4.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-31481"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-04T14:07:20Z",
"nvd_published_at": "2025-04-03T20:15:25Z",
"severity": "HIGH"
},
"details": "### Summary\n\nUsing the Relay special `node` type you can bypass the configured security on an operation.\n\n### Details\n\nHere is an example of how to apply security configurations for the GraphQL operations:\n\n```php\n#[ApiResource(\n security: \"is_granted(\u0027ROLE_USER\u0027)\",\n operations: [ /* ... */ ],\n graphQlOperations: [\n new Query(security: \"is_granted(\u0027ROLE_USER\u0027)\"),\n //...\n ],\n)]\nclass Book { /* ... */ }\n```\n\nThis indeed checks `is_granted(\u0027ROLE_USER\u0027)` as expected for a GraphQL query like the following:\n\n```php\n\u200cquery {\n book(id: \"/books/1\") {\n title\n }\n}\n```\n\nBut the security check can be bypassed by using the `node` field (that is available by default) on the root query type like that:\n\n```php\n\u200cquery {\n node(id: \"/books/1\") {\n ... on Book {\n title\n }\n }\n}\n```\n\nThis does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API.\n\n### Impact\n\nEveryone using GraphQl with the `security` attribute. Not sure whereas this works with custom resolvers nor if this also applies on mutation.\n\nPatched at https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568",
"id": "GHSA-cg3c-245w-728m",
"modified": "2025-08-29T21:07:09Z",
"published": "2025-04-04T14:07:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31481"
},
{
"type": "WEB",
"url": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb"
},
{
"type": "WEB",
"url": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2025-31481.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/graphql/CVE-2025-31481.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/api-platform/core"
},
{
"type": "WEB",
"url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
},
{
"type": "WEB",
"url": "https://github.com/api-platform/core/releases/tag/v4.1.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "GraphQL query operations security can be bypassed"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…