VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-h6xs-dtvv-mffa

Essentials
Severities (23)
References (10)
Severity details (20)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-h6xs-dtvv-mffa
Aliases	CVE-2025-31485 GHSA-428q-q3vv-3fq3
Summary	API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-696	Incorrect Behavior Order
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00452	https://api.first.org/data/v1/epss?cve=CVE-2025-31485
epss	0.00452	https://api.first.org/data/v1/epss?cve=CVE-2025-31485
epss	0.00452	https://api.first.org/data/v1/epss?cve=CVE-2025-31485
cvssv3.1	7.5	https://github.com/api-platform/core
generic_textual	HIGH	https://github.com/api-platform/core
cvssv3.1	7.5	https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8
generic_textual	HIGH	https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8
ssvc	Track	https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8
cvssv3.1	7.5	https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a
generic_textual	HIGH	https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a
ssvc	Track	https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a
cvssv3.1	7.5	https://github.com/api-platform/core/releases/tag/v3.4.17
generic_textual	HIGH	https://github.com/api-platform/core/releases/tag/v3.4.17
ssvc	Track	https://github.com/api-platform/core/releases/tag/v3.4.17
cvssv3.1	7.5	https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3
generic_textual	HIGH	https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3
ssvc	Track	https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3
cvssv3.1	7.5	https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2025-31485.yaml
generic_textual	HIGH	https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2025-31485.yaml
cvssv3.1	7.5	https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/graphql/CVE-2025-31485.yaml
generic_textual	HIGH	https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/graphql/CVE-2025-31485.yaml
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-31485
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-31485

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-31485
		https://github.com/api-platform/core
		https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2025-31485.yaml
		https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/graphql/CVE-2025-31485.yaml
		https://nvd.nist.gov/vuln/detail/CVE-2025-31485
7af65aad13037d7649348ee3dcd88e084ef771f8		https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8
cba3acfbd517763cf320167250c5bed6d569696a		https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a
GHSA-428q-q3vv-3fq3		https://github.com/advisories/GHSA-428q-q3vv-3fq3
GHSA-428q-q3vv-3fq3		https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3
v3.4.17		https://github.com/api-platform/core/releases/tag/v3.4.17

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/api-platform/core

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-03T19:59:34Z/ Found at https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-03T19:59:34Z/ Found at https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/api-platform/core/releases/tag/v3.4.17

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-03T19:59:34Z/ Found at https://github.com/api-platform/core/releases/tag/v3.4.17

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-03T19:59:34Z/ Found at https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2025-31485.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/graphql/CVE-2025-31485.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-31485

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.64187
EPSS Score	0.00452
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:04:55.013155+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/31xxx/CVE-2025-31485.json	38.6.0