CVE-2025-23204: API Platform Core does not call GraphQl securityAfterResolver
A security check that gets called after GraphQl resolvers is always replaced by another one as there’s no break in this clause: https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56 https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57
References
- github.com/advisories/GHSA-7mxx-3cgm-xxv3
- github.com/api-platform/core
- github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620
- github.com/api-platform/core/pull/6444
- github.com/api-platform/core/pull/6444/files
- github.com/api-platform/core/security/advisories/GHSA-7mxx-3cgm-xxv3
- github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php
- nvd.nist.gov/vuln/detail/CVE-2025-23204
Code Behaviors & Features
Detect and mitigate CVE-2025-23204 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →