Skip to content

add CVE-2025-31481 and CVE-2025-31485 for API Platform #750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 29, 2025
Merged

add CVE-2025-31481 and CVE-2025-31485 for API Platform #750

merged 1 commit into from
Aug 29, 2025

Conversation

xabbuh
Copy link
Member

@xabbuh xabbuh commented Apr 17, 2025

No description provided.

xabbuh
xabbuh commented Apr 17, 2025
View reviewed changes
api-platform/core/CVE-2025-31481.yaml
versions: ['>=4.0.0', '<4.0.22']
4.1:
time: 2025-04-03 15:03:00
versions: ['>=4.1.0', '<4.1.5']
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@soyuka Can you confirm that this is correct? The advisory does not talk about API Platform 4.1, but from what I see 4.1.5 is the first 4.1 release containing the patch.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@soyuka you should probably update the GitHub advisory (both in the repository-level advisory and in their global advisory databases, as they are not automatically synchronized for updates to existing advisories)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, and while you are at it, you should probably also adjust the affected 3.4/4.0 versions. Currently it states <3.4.16 while that should rather be <=.

@xabbuh xabbuh mentioned this pull request Apr 17, 2025
Closed
@xabbuh
Copy link
Member Author

xabbuh commented Apr 17, 2025

@soyuka Also, are all minor versions before 3.4 affected by these issues?

stof
stof reviewed Apr 17, 2025
View reviewed changes
api-platform/core/CVE-2025-31481.yaml Outdated
branches:
'3.4':
time: 2025-04-03 15:02:00
versions: ['>=3.4.0', '<3.4.17']
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the GitHub advisory says <3.4.17 is affected, so I would remove the lower bound here

@soyuka
Copy link

soyuka commented Apr 17, 2025

Yes I could reproduce in 2.7 and I assume it's there since we introduced graphql.

@stof stof merged commit 92b6e94 into FriendsOfPHP:master Aug 29, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stof stof stof approved these changes

+1 more reviewer

@soyuka soyuka soyuka left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xabbuh @soyuka @stof