Impact
A missing safety gate in the JSON:API and HAL item normalizers of API Platform Core allows the componentsCache arrays to key that is not ensured to be safe. As a result, the attribute, relationship, and link structure produced for one request can be reused for a subsequent request that belongs. The security predicates defined with #[ApiProperty(security: ...)] are evaluated per request to decide whether a field should be exposed. Because the cache is shared across users, a user with lower privileges may see the structure of properties that the security check would otherwise hide. This leads to an accidental disclosure of information and matches CWE-524 (Information Leakage) and CWE-639 (Controlled Key).
Affected Systems
API Platform packages api-platform/hal, api-platform/json-api, and api-platform/core are affected when running from version 2.6.0 up to 4.1.28 inclusive, from 4.2.0 up to 4.2.25 inclusive, and from 4.3.0 up to 4.3.11 inclusive. The fix is already applied in releases 4.1.29, 4.2.26, and 4.3.12 respectively.
Risk and Exploitability
The CVSS score of 5.9 indicates moderate risk. The EPSS score is < 1%, indicating a very low but non‑zero likelihood of exploitation. The attack does not require a public exploit; an attacker who can make API requests on behalf of two distinct users can trigger the normalizers for each user, causing the cached attribute structure to be reused. The attack vector is inferred to be direct API calls that invoke the affected normalizers, targeting endpoints that expose user data. The vulnerability is not listed in the CISA KEV catalog.
OpenCVE Enrichment