Key Information Vulnerability Overview Vulnerability Name: GraphQL query operations security can be bypassed CVE ID: CVE-2025-31481 GHSA ID: GHSA-cg3c-245w-728m Publisher: soyuuka Release Date: 5 days ago Affected Versions Affected Packages: - (Composer): <4.0.21, <3.4.16 - (Composer): <4.0.21, <3.4.16 Fixed Versions: - : 4.0.22, 3.4.17 - : 4.0.22, 3.4.17 Severity CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Required Privileges: None - User Interaction: None - Scope: Unchanged - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None CVSS Score: 7.5 / 10 Vulnerability Details Summary: The security configured on operations can be bypassed using Relay's special node type. Detailed Description: - Example code demonstrates how to apply security configuration to GraphQL operations. - By using the default available field, security checks can be bypassed, allowing access to any entity without restrictions. Impact Scope Affected Users: All users utilizing GraphQL with the attribute. It is uncertain whether this applies to custom resolvers or mutations as well. Fix Information Fix Commit: 6b747cc Related Personnel Fix Developer: soyuuka Reporter: ausi Fix Reviewer: alanpoulain