CVE-2025-31481
GraphQL query operations security can be bypassed
In short
A flaw in API Platform Core allows attackers to bypass security rules on GraphQL operations by exploiting the Relay node type feature. This means unauthorized users could perform restricted actions they shouldn't be able to.
Technical detail
The vulnerability exists in API Platform Core's handling of Relay special node types in GraphQL queries, allowing attackers to circumvent configured operation-level security policies. By crafting specially formed queries targeting the Relay node interface, an unauthenticated or unauthorized user can execute restricted operations that should be protected by access control rules.
Summary generated and translated by AI from the official description.
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
api-platform · coreWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bbhttps://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568https://github.com/api-platform/core/releases/tag/v3.4.17https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m