What is CVE-2025-23204?

CVE-2025-23204 is a medium-severity vulnerability in Api-platform Core, classified under Improper Input Validation. CVSS score: 4.4/10. Published 2025-03-24.

How severe is CVE-2025-23204?

Medium severity. CVSS v3 base score is 4.4 out of 10.

Improper input validation in Api-platform Core

CVE-2025-23204

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As thi…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.001 (25.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.4 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N.

Affected products

Api-platform Core — versions >= 3.3.8, < 3.3.15

Weakness classification (CWE)

CWE-20 — Improper Input Validation

References

https://github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3 (x_refsource_CONFIRM)
https://github.com/api-platform/core/pull/6444 (x_refsource_MISC)
https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56 (x_refsource_MISC)
https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620 (x_refsource_MISC)
https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-23204?: CVE-2025-23204 is a medium-severity vulnerability in Api-platform Core, classified under Improper Input Validation. CVSS score: 4.4/10. Published 2025-03-24.
How severe is CVE-2025-23204?: Medium severity. CVSS v3 base score is 4.4 out of 10.