CVE-2025-23204

GraphQl securityAfterResolver not called

Description

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue.

Category

4.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.06%
Affected: api-platform core
Published at:
Updated at:

References

Link Tags
https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3
https://github.com/api-platform/core/pull/6444
https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56
https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620
https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57

Frequently Asked Questions

What is the severity of CVE-2025-23204?
CVE-2025-23204 has been scored as a medium severity vulnerability.
How to fix CVE-2025-23204?
To fix CVE-2025-23204, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-23204 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-23204 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-23204?
CVE-2025-23204 affects api-platform core.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.