How the CVE Works:
This vulnerability exploits GraphQL’s Relay `node` interface to bypass role-based security checks. When an API uses `security: “is_granted(‘ROLE_USER’)”` on a query, direct access via standard queries enforces the check. However, the Relay `node` field, enabled by default, ignores these security constraints. Attackers can query protected resources by accessing them through the `node` field, circumventing authorization checks.
DailyCVE Form:
Platform: GraphQL (API Platform)
Version: < 60747cc
Vulnerability: Security Bypass
Severity: Critical
Date: 2025-04-04
What Undercode Say:
Exploitation:
- Craft a malicious query using `node` to bypass checks:
query { node(id: "/books/1") { ... on Book { } } } - Use automated tools like `graphql-inspector` to detect unprotected `node` fields.
Mitigation:
1. Patch to `api-platform/core@60747cc` or later.
2. Disable Relay `node` interface if unused:
api_platform.yaml api_platform: graphql: nesting_separator: '_' default_ide: graphiql relay: enabled: false
3. Override security checks for `node` queries:
[bash]
public function node(string $id): ?ResourceInterface { / ... / }
Detection Commands:
- Scan for exposed `node` fields:
curl -X POST -H "Content-Type: application/json" -d '{"query":"{ __schema { queryType { fields { name } } } }"}' http://localhost/graphql - Check patch status:
composer show api-platform/core | grep "version"
References:
Analytics:
- Affected Systems: APIs using GraphQL Relay without explicit `node` security.
- Exploit Complexity: Low (no auth required).
- Patch Urgency: Critical (public bypass risk).
References:
Reported By: https://github.com/advisories/GHSA-cg3c-245w-728m
Extra Source Hub:
Undercode
