fix(deps): update dependency api-platform/core to v3.4.17 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
api-platform/core (source)	3.4.16 -> 3.4.17

GitHub Vulnerability Alerts

CVE-2025-31485

Original message:

I found an issue with security grants on on properties in the GraphQL ItemNormalizer:

If you use something like #[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')] on a member of an entity, the grant gets cached and is only evaluated once, even if the object in question is a different one.

There is the ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164
and in its usage on line 90 it does indeed not create a cache key, but the parent::normalize() that is called afterwards still creates the cache key and causes the issue.

Impact

It grants access to properties that it should not.

Workarounds

Override the ItemNormalizer.

Patched at: api-platform/core@7af65aa

CVE-2025-31481

Summary

Using the Relay special node type you can bypass the configured security on an operation.

Details

Here is an example of how to apply security configurations for the GraphQL operations:

#[ApiResource(
    security: "is_granted('ROLE_USER')",
    operations: [ /* ... */ ],
    graphQlOperations: [
        new Query(security: "is_granted('ROLE_USER')"),
        //...
    ],
)]
class Book { /* ... */ }

This indeed checks is_granted('ROLE_USER') as expected for a GraphQL query like the following:

‌query {
    book(id: "/books/1") {
        title
    }
}

But the security check can be bypassed by using the node field (that is available by default) on the root query type like that:

‌query {
    node(id: "/books/1") {
        ... on Book {
            title
        }
    }
}

This does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API.

Impact

Everyone using GraphQl with the security attribute. Not sure whereas this works with custom resolvers nor if this also applies on mutation.

Patched at api-platform/core@60747cc

---

Release Notes

api-platform/core (api-platform/core)

v3.4.17

Compare Source

Exceptional release as 3.4 is not maintained anymore, this resolves our recent security issues:

GHSA-cg3c-245w-728m
GHSA-428q-q3vv-3fq3

What's Changed

• test: guides migration table eixts by @​soyuka in https://github.com/api-platform/core/pull/6931
• fix: allow parameter provider as object by @​deguif in https://github.com/api-platform/core/pull/7032
• fix: header parameter should be case insensitive by @​soyuka in https://github.com/api-platform/core/pull/7031
• Revert "fix(doctrine): throw an exception when a filter is not found in a parameter" by @​soyuka in https://github.com/api-platform/core/pull/7046

Full Changelog: api-platform/core@v3.4.16...v3.4.17

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks