The vulnerability occurs in API Platform’s GraphQL `ItemNormalizer` on entity properties. The security grant check is improperly cached, causing it to evaluate only once, even when different objects are accessed. Although `isCacheKeySafe()` attempts to prevent caching unsafe keys, `parent::normalize()` still caches the result, leading to incorrect authorization decisions. This allows unauthorized access to restricted properties by reusing cached security grants.
DailyCVE Form:
Platform: API Platform
Version: < 2.7.8
Vulnerability: Security Bypass
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
1. Query a protected property via GraphQL.
2. Observe cached grant validation.
3. Reuse session to bypass checks.
Mitigation:
1. Update to API Platform ≥ 2.7.8.
2. Override `ItemNormalizer`:
use ApiPlatform\GraphQl\Serializer\ItemNormalizer;
class CustomItemNormalizer extends ItemNormalizer {
protected function normalize($object, $format = null, array $context = []) {
$context[bash] = false;
return parent::normalize($object, $format, $context);
}
}
Detection:
grep -r "ApiProperty(security" src/ composer show api-platform/core | grep "2.7.[bash]"
Analytics:
- Affects GraphQL serialization.
- Patch disables caching for unsafe keys.
- Critical for multi-tenant apps.
References:
References:
Reported By: https://github.com/advisories/GHSA-428q-q3vv-3fq3
Extra Source Hub:
Undercode
