CVE-2023-47639 – api-platform/core

Package

Manager: composer
Name: api-platform/core
Vulnerable Version: >=3.2.0 <3.2.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00034 pctl0.08131

Details

API Platform Core can leak exceptions message that may contain sensitive information ### Summary Exception messages, that are not HTTP exceptions, are visible in the JSON error response. ### Details While we wanted to make our errors compatible with the [JSON Problem](https://datatracker.ietf.org/doc/html/rfc7807) specification, we ended up handling more exceptions then we did previously (introduced at https://github.com/api-platform/core/pull/5823). Instead of leaving that to Symfony, we ended up serializing errors with our normalizers which lead to not hiding the exception details. Note that the trace is hidden in production but the message is not, and the message can contain sensitive information. ### PoC At https://github.com/ili101/api-platform/tree/test3.2 it triggers an authentication exception as LDAP is not reachable. You can find the message available as a JSON response when trying to reach an endpoint. ### Impact Version 3.2 until 3.2.4 is impacted.

Metadata

Created: 2025-04-03T13:02:57Z
Modified: 2025-04-04T02:13:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-rfw5-cqjj-7v9r/GHSA-rfw5-cqjj-7v9r.json
CWE IDs: ["CWE-209"]
Alternative ID: GHSA-rfw5-cqjj-7v9r
Finding: F037
Auto approve: 1