Headline

GHSA-rfw5-cqjj-7v9r: API Platform Core can leak exceptions message that may contain sensitive information

Summary

Exception messages, that are not HTTP exceptions, are visible in the JSON error response.

Details

While we wanted to make our errors compatible with the JSON Problem specification, we ended up handling more exceptions then we did previously (introduced at https://github.com/api-platform/core/pull/5823). Instead of leaving that to Symfony, we ended up serializing errors with our normalizers which lead to not hiding the exception details. Note that the trace is hidden in production but the message is not, and the message can contain sensitive information.

PoC

At https://github.com/ili101/api-platform/tree/test3.2 it triggers an authentication exception as LDAP is not reachable. You can find the message available as a JSON response when trying to reach an endpoint.

Impact

Version 3.2 until 3.2.4 is impacted.

1 month ago

ghsa

Open in Source

#js #git #ldap #auth

GitHub Advisory Database
GitHub Reviewed
CVE-2023-47639

API Platform Core can leak exceptions message that may contain sensitive information

Moderate severity GitHub Reviewed Published Apr 3, 2025 in api-platform/core • Updated Apr 3, 2025

Package

composer api-platform/core (Composer)

Affected versions

>= 3.2.0, < 3.2.5

Summary

Exception messages, that are not HTTP exceptions, are visible in the JSON error response.

Details

While we wanted to make our errors compatible with the JSON Problem specification, we ended up handling more exceptions then we did previously (introduced at api-platform/core#5823). Instead of leaving that to Symfony, we ended up serializing errors with our normalizers which lead to not hiding the exception details. Note that the trace is hidden in production but the message is not, and the message can contain sensitive information.

PoC

Impact

Version 3.2 until 3.2.4 is impacted.

References