GHSA-cg3c-245w-728m: GraphQL query operations security can be bypassed

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-31481

GraphQL query operations security can be bypassed

High severity GitHub Reviewed Published Apr 3, 2025 in api-platform/core • Updated Apr 4, 2025

Package

composer api-platform/core (Composer)

Affected versions

< 4.0.22

composer api-platform/graphql (Composer)

Summary

Using the Relay special node type you can bypass the configured security on an operation.

Details

Here is an example of how to apply security configurations for the GraphQL operations:

#[ApiResource( security: "is_granted(‘ROLE_USER’)", operations: [ /* … */ ], graphQlOperations: [ new Query(security: "is_granted(‘ROLE_USER’)"), //… ], )] class Book { /* … */ }

This indeed checks is_granted(‘ROLE_USER’) as expected for a GraphQL query like the following:

‌query { book(id: “/books/1”) { title } }

But the security check can be bypassed by using the node field (that is available by default) on the root query type like that:

‌query { node(id: “/books/1”) { … on Book { title } } }

This does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API.

Impact

Everyone using GraphQl with the security attribute. Not sure whereas this works with custom resolvers nor if this also applies on mutation.

Patched at api-platform/core@60747cc

References

• GHSA-cg3c-245w-728m
• https://nvd.nist.gov/vuln/detail/CVE-2025-31481
• api-platform/core@60747cc

Published to the GitHub Advisory Database

Apr 4, 2025