Omitted Break Statement in Switch Affecting api-platform/core package, versions >=3.3.8, <3.3.15


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-APIPLATFORMCORE-9512416
  • published25 Mar 2025
  • disclosed24 Mar 2025
  • creditMartin Auswöger

Introduced: 24 Mar 2025

NewCVE-2025-23204  (opens in a new tab)
CWE-484  (opens in a new tab)

How to fix?

Upgrade api-platform/core to version 3.3.15 or higher.

Overview

api-platform/core is a builds a fully-featured hypermedia or GraphQL API in minutes.

Affected versions of this package are vulnerable to Omitted Break Statement in Switch in the provide() function in AccessCheckerProvider.php, accessible via the GraphQL endpoint. An attacker can bypass security checks intended to be enforced after GraphQL resolvers.

CVSS Base Scores

version 4.0
version 3.1