DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-31481: The Relay Race to Nowhere: Bypassing Auth in API Platform's GraphQL Node Interface

#security #cve #cybersecurity

The Relay Race to Nowhere: Bypassing Auth in API Platform's GraphQL Node Interface

Vulnerability ID: CVE-2025-31481
CVSS Score: 7.5
Published: 2025-04-03

A logic error in API Platform's GraphQL Relay implementation allows attackers to bypass security rules by querying resources via the global node interface, effectively ignoring configured access controls.

TL;DR

API Platform's implementation of the GraphQL Relay node field failed to load resource-specific security metadata. By querying a sensitive resource via node(id: "/iri"), attackers could bypass security attributes (like ROLE_ADMIN) and read data they shouldn't see. The fix involves forcing a reverse lookup of the operation metadata based on the requested IRI.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863 (Incorrect Authorization)
  • CVSS v3.1: 7.5 (High)
  • Attack Vector: Network (GraphQL API)
  • Impact: Confidentiality Loss (Data Exfiltration)
  • Exploit Status: Trivial / PoC Available
  • KEV Status: Not Listed

Affected Systems

  • API Platform Core < 3.4.17
  • API Platform Core >= 4.0.0, < 4.0.22
  • api-platform/core: < 3.4.17 (Fixed in: 3.4.17)
  • api-platform/core: >= 4.0.0, < 4.0.22 (Fixed in: 4.0.22)

Code Analysis

Commit: 60747cc

Introduced RuntimeOperationMetadataFactory to resolve operations from IRIs

if (!$operation) { $operation = $this->operationMetadataFactory->create($args['id']); }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade API Platform Core to a patched version immediately.
  • If upgrading is impossible, disable the GraphQL Relay 'node' query if not strictly required by your frontend client.
  • Audit logs for excessive usage of the node query endpoint from unprivileged IP addresses.

Remediation Steps:

  1. Run composer update api-platform/core to fetch version 3.4.17 or 4.0.22/4.1.5.
  2. Verify the update by checking composer.lock.
  3. Clear the Symfony cache: php bin/console cache:clear.
  4. Test the node endpoint with a sensitive IRI to ensure it now returns a 403 Forbidden.

References

Read the full report for CVE-2025-31481 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)