GHSA-cg3c-245w-728m

Suggest an improvement
Source
https://github.com/advisories/GHSA-cg3c-245w-728m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-cg3c-245w-728m/GHSA-cg3c-245w-728m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cg3c-245w-728m
Aliases
Published
2025-04-04T14:07:20Z
Modified
2025-04-08T13:47:35.180761Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
GraphQL query operations security can be bypassed
Details

Summary

Using the Relay special node type you can bypass the configured security on an operation.

Details

Here is an example of how to apply security configurations for the GraphQL operations:

#[ApiResource(
    security: "is_granted('ROLE_USER')",
    operations: [ /* ... */ ],
    graphQlOperations: [
        new Query(security: "is_granted('ROLE_USER')"),
        //...
    ],
)]
class Book { /* ... */ }

This indeed checks is_granted('ROLE_USER') as expected for a GraphQL query like the following:

‌query {
    book(id: "/books/1") {
        title
    }
}

But the security check can be bypassed by using the node field (that is available by default) on the root query type like that:

‌query {
    node(id: "/books/1") {
        ... on Book {
            title
        }
    }
}

This does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API.

Impact

Everyone using GraphQl with the security attribute. Not sure whereas this works with custom resolvers nor if this also applies on mutation.

Patched at https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568

Database specific 
{
    "nvd_published_at": "2025-04-03T20:15:25Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-04T14:07:20Z"
}
References

Affected packages

Packagist / api-platform/graphql

Package

Name
api-platform/graphql
Purl
pkg:composer/api-platform/graphql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0-alpha.1
Fixed
4.0.22

Affected versions

v4.*

v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-alpha.6
v4.0.0-alpha.7
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.16
v4.0.17
v4.0.18
v4.0.19
v4.0.20
v4.0.21

Packagist / api-platform/core

Package

Name
api-platform/core
Purl
pkg:composer/api-platform/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0-alpha.1
Fixed
4.0.22

Affected versions

v4.*

v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-alpha.6
v4.0.0-alpha.7
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.16
v4.0.17
v4.0.18
v4.0.19
v4.0.20
v4.0.21

Packagist / api-platform/graphql

Package

Name
api-platform/graphql
Purl
pkg:composer/api-platform/graphql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.17

Affected versions

v3.*

v3.2.0-beta.1
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.25
v3.3.0-alpha.1
v3.3.0-beta.1
v3.3.3
v3.3.4
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.3.11
v3.3.13
v3.3.14
v3.3.15
v3.4.0-alpha.1
v3.4.0-alpha.2
v3.4.0-alpha.3
v3.4.0-alpha.4
v3.4.0-alpha.5
v3.4.0-alpha.6
v3.4.0-alpha.7
v3.4.0-beta.1
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v3.4.10
v3.4.11
v3.4.13
v3.4.14
v3.4.15
v3.4.16

Packagist / api-platform/core

Package

Name
api-platform/core
Purl
pkg:composer/api-platform/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.17

Affected versions

v1.*

v1.0.0-beta
v1.0.0-beta.2
v1.0.0-beta.3
v1.0.0
v1.0.1
v1.1.0-beta.1
v1.1.0-beta.2
v1.1.0
v1.1.1

v2.*

v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.0-rc.3
v2.0.0-rc.4
v2.0.0-rc.5
v2.0.0-rc.6
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.0.10
v2.0.11
v2.1.0-beta.1
v2.1.0-beta.2
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.2.0-beta.1
v2.2.0-beta.2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.2.10
v2.3.0-beta.1
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.4.0-beta.1
v2.4.0-beta.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.5.0-beta.1
v2.5.0-beta.2
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.5.10
v2.6.0-alpha.1
v2.6.0-beta.1
v2.6.0
v2.6.1
v2.6.2
v2.6.3.alpha
v2.6.3-alpha.1
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.7.0-alpha.1
v2.7.0-alpha.2
v2.7.0-alpha.3
v2.7.0-alpha.4
v2.7.0-alpha.5
v2.7.0-alpha.6
v2.7.0-alpha.7
v2.7.0-beta.1
v2.7.0-beta.2
v2.7.0-beta.3
v2.7.0-beta.4
v2.7.0-beta.5
v2.7.0-rc.1
v2.7.0-rc.2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18

v3.*

v3.0.0-beta.1
v3.0.0-beta.2
v3.0.0-rc.1
v3.0.0-rc.2
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.0.10
v3.0.11
v3.0.12
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.20
v3.1.21
v3.1.22
v3.1.23
v3.1.24
v3.1.25
v3.1.26
v3.1.27
v3.1.28
v3.1.29
v3.2.0-alpha.1
v3.2.0-alpha.2
v3.2.0-beta.1
v3.2.0-beta.2
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25
v3.2.26
v3.3.0-alpha.1
v3.3.0-alpha.2
v3.3.0-beta.1
v3.3.0-beta.2
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.4.0-alpha.1
v3.4.0-alpha.2
v3.4.0-alpha.3
v3.4.0-alpha.4
v3.4.0-alpha.5
v3.4.0-alpha.6
v3.4.0-alpha.7
v3.4.0-beta.1
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v3.4.10
v3.4.11
v3.4.14
v3.4.15
v3.4.16