CVE-2025-23204: 
PHP vulnerability analysis and mitigation

API Platform Core, a system for creating hypermedia-driven REST and GraphQL APIs, contains a security vulnerability (CVE-2025-23204) that affects versions starting from 3.3.8. The vulnerability occurs when a security check that gets called after GraphQL resolvers is always replaced by another one due to a missing break clause. The issue was discovered on March 24, 2025, and has been patched in version 3.3.15 (GitHub Advisory).

The vulnerability stems from a code logic issue in the security check implementation. The security check that should be called after GraphQL resolvers is always replaced by another check due to a missing break statement in a switch clause. This causes the system to fall back to the default security check instead of using the intended security after resolver check. The vulnerability has been assigned a CVSS v3.1 score of 4.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N (GitHub Advisory).

The impact of this vulnerability is limited to scenarios where there is only a security check after the resolver and none inside the security context. When exploited, it could lead to security checks being bypassed, potentially allowing unauthorized access to protected resources (GitHub Advisory).

The vulnerability has been fixed in API Platform Core version 3.3.15. Users are advised to upgrade to this version to address the security issue. No alternative workarounds have been provided (GitHub Advisory).