CVE-2023-47639: 
PHP vulnerability analysis and mitigation

API Platform Core, a system for creating hypermedia-driven REST and GraphQL APIs, was found to contain a vulnerability (CVE-2023-47639) where exception messages that are not HTTP exceptions were visible in JSON error responses. This vulnerability affected versions 3.2.0 through 3.2.4 and was fixed in version 3.2.5. The issue was discovered and disclosed on April 3, 2025 (GitHub Advisory).

The vulnerability was introduced while attempting to make errors compatible with the JSON Problem specification. Instead of delegating error handling to Symfony, the system began serializing errors with its own normalizers, which resulted in exposing exception details. While stack traces were properly hidden in production environments, exception messages remained visible and could potentially contain sensitive information. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The vulnerability could lead to the disclosure of sensitive information through exception messages in JSON error responses. While the stack traces were hidden in production, the exception messages themselves could contain sensitive details that should not be exposed to users (GitHub Advisory).

The vulnerability has been fixed in version 3.2.5 of API Platform Core. Users should upgrade to this version or later to address the issue. No alternative workarounds were provided (GitHub Advisory).