VDB
KO
MEDIUM 5.9

GHSA-pjhx-3c3w-9v23

API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate

Details

### Impact

`#[ApiProperty(security: ...)]` is evaluated per request to decide whether a property is exposed. The `componentsCache` arrays in `ApiPlatform\JsonApi\Serializer\ItemNormalizer` and `ApiPlatform\Hal\Serializer\ItemNormalizer` are keyed on `$context['cache_key']`, which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them.

This is the same vulnerability class as [GHSA-428q-q3vv-3fq3](https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3) / CVE-2025-31485, which fixed only the GraphQL `ItemNormalizer`. The JSON:API and HAL paths were not addressed at the time.

### Exploitation conditions

Exploitation requires all of the following to coincide:

- The application exposes a resource via the JSON:API and/or HAL formats. - At least one property of that resource uses `#[ApiProperty(security: ...)]` with a predicate whose result depends on the current user (or on per-request state). - A request from a user for whom the predicate evaluates to `true` populates `componentsCache` before a request from a user for whom the predicate evaluates to `false`, within the lifetime of the same PHP process. - The deployment uses a long-running PHP runtime that keeps the normalizer instance alive across requests (FrankenPHP worker mode, RoadRunner, Swoole, ReactPHP, etc.). With classic `php-fpm` workers the cache only survives the duration of a single request, which makes the issue much harder to observe in practice.

### Patches

- 4.1.29 - 4.2.25 - 4.3.8

All three branches receive patched releases of `api-platform/core`, `api-platform/json-api`, and `api-platform/hal`.

### Workarounds

Override the JSON:API and HAL `ItemNormalizer` services to gate `$context['cache_key']` with a resource-class security check, or avoid `#[ApiProperty(security: ...)]` on resources served as JSON:API or HAL until the patch is applied. Pinning the deployment to classic `php-fpm` workers also limits exposure since the cache does not survive across requests.

### Credits

- Tillmann Baumgart (@tillmon) — originally identified the broader cache-key gap and proposed moving `isCacheKeySafe` to `AbstractItemNormalizer`. - Antoine Bluchet (@soyuka) — extended the gate to JSON:API and HAL normalizers.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / api-platform/core
Introduced in: 2.6.0 Fixed in: 4.1.29
Fix composer require api-platform/core:^4.1.29
Packagist / api-platform/core
Introduced in: 4.2.0 Fixed in: 4.2.25
Fix composer require api-platform/core:^4.2.25
Packagist / api-platform/core
Introduced in: 4.3.0 Fixed in: 4.3.8
Fix composer require api-platform/core:^4.3.8
Packagist / api-platform/json-api
Introduced in: 4.0.0 Fixed in: 4.1.29
Fix composer require api-platform/json-api:^4.1.29
Packagist / api-platform/json-api
Introduced in: 4.2.0 Fixed in: 4.2.25
Fix composer require api-platform/json-api:^4.2.25
Packagist / api-platform/json-api
Introduced in: 4.3.0 Fixed in: 4.3.8
Fix composer require api-platform/json-api:^4.3.8
Packagist / api-platform/hal
Introduced in: 4.0.0 Fixed in: 4.1.29
Fix composer require api-platform/hal:^4.1.29
Packagist / api-platform/hal
Introduced in: 4.2.0 Fixed in: 4.2.25
Fix composer require api-platform/hal:^4.2.25
Packagist / api-platform/hal
Introduced in: 4.3.0 Fixed in: 4.3.8
Fix composer require api-platform/hal:^4.3.8

References