Using the Relay special node
type you can bypass the configured security on an operation.
Here is an example of how to apply security configurations for the GraphQL operations:
#[ApiResource(
security: "is_granted('ROLE_USER')",
operations: [ /* ... */ ],
graphQlOperations: [
new Query(security: "is_granted('ROLE_USER')"),
//...
],
)]
class Book { /* ... */ }
This indeed checks is_granted('ROLE_USER')
as expected for a GraphQL query like the following:
query {
book(id: "/books/1") {
title
}
}
But the security check can be bypassed by using the node
field (that is available by default) on the root query type like that:
query {
node(id: "/books/1") {
... on Book {
title
}
}
}
This does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API.
Everyone using GraphQl with the security
attribute. Not sure whereas this works with custom resolvers nor if this also applies on mutation.
Patched at https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568
{ "nvd_published_at": "2025-04-03T20:15:25Z", "cwe_ids": [ "CWE-863" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-04-04T14:07:20Z" }