AIKIDO-2026-10398
api-platform/core is vulnerable to Information Disclosure
53
Medium Risk
This Affects:
api-platform/coreTL;DR
For item operations (e.g. Get) with a security expression such as security: "is_granted('ROLE_INTERNAL')", the state provider ran before the security check. The provider loads the resource (e.g. from the database); if not found it throws NotFoundHttpException (404), and the access checker never ran. So an unauthenticated or unauthorized user could probe item IDs: a 404 meant the resource does not exist, and a 403 meant the resource exists but access was denied. This allows enumeration of which IDs exist in the database. The fix evaluates isGranted (for expressions that do not reference the object variable) before the provider, so unauthorized requests receive 403 without the provider running and no longer leak existence information.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
api-platform/core is vulnerable to Information Disclosure in versions 3.1.0 - 4.2.21.
How to fix this
Upgrade the api-platform/core library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant