ghsa-cg3c-245w-728m
Vulnerability from github
Published
2025-04-04 14:07
Modified
2025-04-08 13:14
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
GraphQL query operations security can be bypassed
Details

Summary

Using the Relay special node type you can bypass the configured security on an operation.

Details

Here is an example of how to apply security configurations for the GraphQL operations:

```php

[ApiResource(

security: "is_granted('ROLE_USER')",
operations: [ /* ... */ ],
graphQlOperations: [
    new Query(security: "is_granted('ROLE_USER')"),
    //...
],

)] class Book { / ... / } ```

This indeed checks is_granted('ROLE_USER') as expected for a GraphQL query like the following:

php ‌query { book(id: "/books/1") { title } }

But the security check can be bypassed by using the node field (that is available by default) on the root query type like that:

php ‌query { node(id: "/books/1") { ... on Book { title } } }

This does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API.

Impact

Everyone using GraphQl with the security attribute. Not sure whereas this works with custom resolvers nor if this also applies on mutation.

Patched at https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "api-platform/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha.1"
            },
            {
              "fixed": "4.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "api-platform/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha.1"
            },
            {
              "fixed": "4.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "api-platform/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "api-platform/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-04T14:07:20Z",
    "nvd_published_at": "2025-04-03T20:15:25Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nUsing the Relay special `node` type you can bypass the configured security on an operation.\n\n### Details\n\nHere is an example of how to apply security configurations for the GraphQL operations:\n\n```php\n#[ApiResource(\n    security: \"is_granted(\u0027ROLE_USER\u0027)\",\n    operations: [ /* ... */ ],\n    graphQlOperations: [\n        new Query(security: \"is_granted(\u0027ROLE_USER\u0027)\"),\n        //...\n    ],\n)]\nclass Book { /* ... */ }\n```\n\nThis indeed checks `is_granted(\u0027ROLE_USER\u0027)` as expected for a GraphQL query like the following:\n\n```php\n\u200cquery {\n    book(id: \"/books/1\") {\n        title\n    }\n}\n```\n\nBut the security check can be bypassed by using the `node` field (that is available by default) on the root query type like that:\n\n```php\n\u200cquery {\n    node(id: \"/books/1\") {\n        ... on Book {\n            title\n        }\n    }\n}\n```\n\nThis does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API.\n\n### Impact\n\nEveryone using GraphQl with the `security` attribute. Not sure whereas this works with custom resolvers nor if this also applies on mutation.\n\nPatched at https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568",
  "id": "GHSA-cg3c-245w-728m",
  "modified": "2025-04-08T13:14:40Z",
  "published": "2025-04-04T14:07:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31481"
    },
    {
      "type": "WEB",
      "url": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/api-platform/core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GraphQL query operations security can be bypassed"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.