Listen to this Post
How CVE-2025-31485 Works
API Platform Core is a popular PHP framework for building hypermedia-driven REST and GraphQL APIs. Prior to patched versions, the framework contained a critical security flaw in how it handled property-level security grants within its serialization layer.
The vulnerability stems from the `[ApiProperty(security: …)]` attribute, which allows developers to define per-request security predicates that determine whether a specific property is exposed in the API response. When a request is processed, the `ItemNormalizer` computes the structure of the resource—including which attributes, relationships, and links should be included—and caches this computed structure in a `componentsCache` array. This cache is keyed on a `$context[‘cache_key’]` value.
The issue arises because this cache key is set unconditionally before the normalizer delegates to its parent, without adequately incorporating the security context of the current user. As a result, the component structure computed for one request can be reused for a subsequent request.
If a high-privilege user (for whom a security predicate evaluates to true) makes a request first, the cache is populated with the full property structure. A subsequent request from a low-privilege user (for whom the predicate evaluates to false) may then receive the cached structure, inadvertently exposing properties that should have been hidden.
This vulnerability class was originally identified and patched for the GraphQL `ItemNormalizer` in CVE-2025-31485. However, the fix for CVE-2025-31485 only addressed the GraphQL endpoint. The JSON:API and HAL `ItemNormalizer` components contained the identical cache-key logic and remained vulnerable, leaving API Platform applications that expose resources via these formats at risk. The exploitation is particularly pronounced in long-running PHP environments like FrankenPHP, RoadRunner, or Swoole, where the normalizer instance—and its cache—persists across multiple requests.
DailyCVE Form
Platform: ……. API Platform Core
Version: …….. < 3.4.17, 4.0.0-alpha.1 to < 4.0.22, 4.1.0-alpha.1 to < 4.1.5
Vulnerability :…… Information Disclosure via Cache Key Reuse
Severity: ……. High (CVSS 3.1 Base Score: 7.5)
date: ………. April 3, 2025
Prediction: …… Patches expected immediately (fixed in 3.4.17, 4.0.22, 4.1.5)
What Undercode Say: Analytics
The vulnerability introduces a critical information disclosure risk, as an attacker could potentially access sensitive data they are not authorized to view. The following command can be used to check if your project is using a vulnerable version of the API Platform Core package:
composer show api-platform/core | grep versions
To identify if your codebase uses the affected `[ApiProperty(security: …)]` attribute on resources exposed via JSON:API or HAL, you can use a grep command:
grep -r "ApiProperty(security:" ./src/
Review your API configuration to determine which formats are enabled. The following command can help locate format configuration:
grep -r "json_api" ./config/ && grep -r "hal" ./config/
How Exploit: CVE-2025-31485
Exploitation of this vulnerability requires a specific set of conditions to align:
1. The application must expose a resource via the JSON:API or HAL formats.
2. At least one property of that resource must use the `[ApiProperty(security: …)]` attribute with a predicate whose result depends on the current user.
3. A request from a high-privilege user, for whom the predicate evaluates to true, must populate the componentsCache.
4. A subsequent request from a low-privilege user, for whom the predicate evaluates to false, must occur within the lifetime of the same PHP process, allowing the cached structure to be reused.
An attacker would typically need to be an authenticated user with lower privileges and would need to time their request after a high-privilege user has accessed the same resource. This attack vector is particularly dangerous in long-running PHP environments.
Protection: From This CVE
The primary protection is to apply the official patches released by the API Platform team. All three affected branches have received patched releases:
api-platform/core: 3.4.17, 4.0.22, and 4.1.5
api-platform/json-api: Patched versions are included in the core package updates.
api-platform/hal: Patched versions are included in the core package updates.
Until the patch can be applied, the following workarounds are available:
Override the JSON:API and HAL `ItemNormalizer` services to gate the `$context[‘cache_key’]` with a resource-class security check.
Avoid using `[ApiProperty(security: …)]` on resources served as JSON:API or HAL.
Pin your deployment to classic `php-fpm` workers, as the cache does not survive across requests in this model, which limits exposure.
Impact
The impact of this vulnerability is the unauthorized disclosure of sensitive information. An attacker with lower privileges could view the structure of properties that the security predicate would have otherwise hidden for them. This could include Personally Identifiable Information (PII), internal identifiers, or other sensitive data fields that are not meant to be publicly accessible. The CVSS score of 7.5 (High) reflects the network-based attack vector, low attack complexity, and the potential for high confidentiality impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

