add CVE-2025-31481 and CVE-2025-31485 for API Platform #750
Conversation
| versions: ['>=4.0.0', '<4.0.22'] | ||
| 4.1: | ||
| time: 2025-04-03 15:03:00 | ||
| versions: ['>=4.1.0', '<4.1.5'] |
There was a problem hiding this comment.
@soyuka Can you confirm that this is correct? The advisory does not talk about API Platform 4.1, but from what I see 4.1.5 is the first 4.1 release containing the patch.
There was a problem hiding this comment.
@soyuka you should probably update the GitHub advisory (both in the repository-level advisory and in their global advisory databases, as they are not automatically synchronized for updates to existing advisories)
There was a problem hiding this comment.
Oh, and while you are at it, you should probably also adjust the affected 3.4/4.0 versions. Currently it states <3.4.16 while that should rather be <=.
|
@soyuka Also, are all minor versions before 3.4 affected by these issues? |
| branches: | ||
| '3.4': | ||
| time: 2025-04-03 15:02:00 | ||
| versions: ['>=3.4.0', '<3.4.17'] |
There was a problem hiding this comment.
the GitHub advisory says <3.4.17 is affected, so I would remove the lower bound here
|
Yes I could reproduce in 2.7 and I assume it's there since we introduced graphql. |
No description provided.