VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-5534-m37c-bkex

Essentials
Severities (22)
References (10)
Severity details (20)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-5534-m37c-bkex
Aliases	CVE-2023-25575 GHSA-vr2x-7687-h6qv
Summary	API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. The JSON-LD format is not affected by the issue. The result of the security rule is only executed for the first item of the collection. The result of the rule is then cached and reused for the next items. This bug can leak data to unauthorized users when the rule depends on the value of a property of the item. This bug can also hide properties that should be displayed to authorized users. This issue impacts the 2.7, 3.0 and 3.1 branches. Please upgrade to versions 2.7.10, 3.0.12 or 3.1.3. As a workaround, replace the `cache_key` of the context array of the Serializer inside a custom normalizer that works on objects if the security option of the `ApiPlatform\Metadata\ApiProperty` attribute is used.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-842	Placement of User into Incorrect Group
CWE-863	Incorrect Authorization
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.002	https://api.first.org/data/v1/epss?cve=CVE-2023-25575
epss	0.002	https://api.first.org/data/v1/epss?cve=CVE-2023-25575
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-vr2x-7687-h6qv
cvssv3.1	7.7	https://github.com/api-platform/core
generic_textual	HIGH	https://github.com/api-platform/core
cvssv3.1	7.7	https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb
generic_textual	HIGH	https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb
ssvc	Track	https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb
cvssv3.1	7.7	https://github.com/api-platform/core/releases/tag/v2.7.10
generic_textual	HIGH	https://github.com/api-platform/core/releases/tag/v2.7.10
cvssv3.1	7.7	https://github.com/api-platform/core/releases/tag/v3.0.12
generic_textual	HIGH	https://github.com/api-platform/core/releases/tag/v3.0.12
cvssv3.1	7.7	https://github.com/api-platform/core/releases/tag/v3.1.3
generic_textual	HIGH	https://github.com/api-platform/core/releases/tag/v3.1.3
cvssv3.1	7.7	https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv
cvssv3.1_qr	HIGH	https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv
generic_textual	HIGH	https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv
ssvc	Track	https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv
cvssv3.1	7.7	https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2023-25575.yaml
generic_textual	HIGH	https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2023-25575.yaml
cvssv3.1	7.7	https://nvd.nist.gov/vuln/detail/CVE-2023-25575
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2023-25575

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-25575
		https://github.com/api-platform/core
		https://github.com/api-platform/core/releases/tag/v2.7.10
		https://github.com/api-platform/core/releases/tag/v3.0.12
		https://github.com/api-platform/core/releases/tag/v3.1.3
		https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2023-25575.yaml
		https://nvd.nist.gov/vuln/detail/CVE-2023-25575
5723d68369722feefeb11e42528d9580db5dd0fb		https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb
GHSA-vr2x-7687-h6qv		https://github.com/advisories/GHSA-vr2x-7687-h6qv
GHSA-vr2x-7687-h6qv		https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/api-platform/core

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-07T18:36:44Z/ Found at https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/api-platform/core/releases/tag/v2.7.10

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/api-platform/core/releases/tag/v3.0.12

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/api-platform/core/releases/tag/v3.1.3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-07T18:36:44Z/ Found at https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2023-25575.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-25575

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.42066
EPSS Score	0.002
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:19:58.144527+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2023/25xxx/CVE-2023-25575.json	38.6.0