CVE-2025-31481 HIGH

CVE-2025-31481: GraphQL query operations security can be bypassed

Vendor Api-Platform

Product core

Weakness CWE-863 · Incorrect authorization

Published April 3, 2025

Last update April 8, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.

Key dates

02Disclosure timeline

April 3, 2025 CVE published

April 8, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-31481 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2025-31481

CWE CWE-863

CVSS 7.5 / HIGH

Affected versions

Vendor Api-Platform

Product core

Affected >= 4.0.0, < 4.0.22

Vendor Api-Platform

Product core

Affected < 3.4.17

CVE-2025-31481: GraphQL query operations security can be bypassed

01Description

02Disclosure timeline

03References

04Related CVE