add CVE-2025-31481 and CVE-2025-31485 for API Platform

xabbuh · xabbuh · commit f958c82dd3d6 · 2025-04-17T10:25:57.000+02:00
diff --git a/api-platform/core/CVE-2025-31481.yaml b/api-platform/core/CVE-2025-31481.yaml
@@ -0,0 +1,14 @@
+title:     "GraphQL query operations security can be bypassed"
+link:      https://github.com/advisories/GHSA-cg3c-245w-728m
+cve:       CVE-2025-31481
+branches:
+    '3.4':
+        time:     2025-04-03 15:02:00
+        versions: ['>=3.4.0', '<3.4.17']
+    '4.0':
+        time:     2025-04-03 15:02:00
+        versions: ['>=4.0.0', '<4.0.22']
+    '4.1':
+        time:     2025-04-03 15:03:00
+        versions: ['>=4.1.0', '<4.1.5']
+reference: composer://api-platform/core
diff --git a/api-platform/core/CVE-2025-31485.yaml b/api-platform/core/CVE-2025-31485.yaml
@@ -0,0 +1,14 @@
+title:     "GraphQL grant on a property might be cached with different objects"
+link:      https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3
+cve:       CVE-2025-31485
+branches:
+    '3.4':
+        time:     2025-04-03 15:03:00
+        versions: ['>=3.4.0', '<3.4.17']
+    '4.0':
+        time:     2025-04-03 15:03:00
+        versions: ['>=4.0.0', '<4.0.22']
+    '4.1':
+        time:     2025-04-03 15:03:00
+        versions: ['>=4.1.0', '<4.1.5']
+reference: composer://api-platform/core
diff --git a/api-platform/graphql/CVE-2025-31481.yaml b/api-platform/graphql/CVE-2025-31481.yaml
@@ -0,0 +1,14 @@
+title:     "GraphQL query operations security can be bypassed"
+link:      https://github.com/advisories/GHSA-cg3c-245w-728m
+cve:       CVE-2025-31481
+branches:
+    '3.4':
+        time:     2025-04-03 15:02:00
+        versions: ['>=3.4.0', '<3.4.17']
+    '4.0':
+        time:     2025-04-03 15:02:00
+        versions: ['>=4.0.0', '<4.0.22']
+    '4.1':
+        time:     2025-04-03 15:03:00
+        versions: ['>=4.1.0', '<4.1.5']
+reference: composer://api-platform/graphql
diff --git a/api-platform/graphql/CVE-2025-31485.yaml b/api-platform/graphql/CVE-2025-31485.yaml
@@ -0,0 +1,14 @@
+title:     "GraphQL grant on a property might be cached with different objects"
+link:      https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3
+cve:       CVE-2025-31485
+branches:
+    '3.4':
+        time:     2025-04-03 15:03:00
+        versions: ['>=3.4.0', '<3.4.17']
+    '4.0':
+        time:     2025-04-03 15:03:00
+        versions: ['>=4.0.0', '<4.0.22']
+    '4.1':
+        time:     2025-04-03 15:03:00
+        versions: ['>=4.1.0', '<4.1.5']
+reference: composer://api-platform/graphql
