CVE-2025-32031

Apollo Gateway provides utilities for combining multiple GraphQL microservices into a single GraphQL endpoint. Prior to 2.10.1, a vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested and reused named fragments can generate many selections where this optimization does not apply, leading to significantly longer planning times. Because the query planner does not enforce a timeout, a small number of such queries can render gateway inoperable. This could lead to excessive resource consumption and denial of service. This has been remediated in @apollo/gateway version 2.10.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/apollographql/federation/pull/3236	Issue Tracking Patch
https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1	Release Notes
https://github.com/apollographql/federation/security/advisories/GHSA-p2q6-pwh5-m6jr	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apollographql:apollo_gateway:*:*:*:*:*:node.js:*:*

History

01 Aug 2025, 16:50

Type	Values Removed	Values Added
References	~~() https://github.com/apollographql/federation/pull/3236 -~~	() https://github.com/apollographql/federation/pull/3236 - Issue Tracking, Patch
References	~~() https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1 -~~	() https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1 - Release Notes
References	~~() https://github.com/apollographql/federation/security/advisories/GHSA-p2q6-pwh5-m6jr -~~	() https://github.com/apollographql/federation/security/advisories/GHSA-p2q6-pwh5-m6jr - Vendor Advisory
CPE		cpe:2.3:a:apollographql:apollo_gateway::::::node.js::*
First Time		Apollographql apollo Gateway Apollographql

08 Apr 2025, 18:13

Type	Values Removed	Values Added
Summary		(es) Apollo Gateway proporciona utilidades para combinar múltiples microservicios GraphQL en un único endpoint GraphQL. Antes de la versión 2.10.1, una vulnerabilidad en Apollo Gateway hacía que la planificación de consultas con fragmentos con nombre profundamente anidados y reutilizados fuera excesivamente costosa, especialmente debido a que las optimizaciones internas se omitían con frecuencia. El planificador de consultas incluye una optimización que acelera significativamente la planificación de las selecciones GraphQL aplicables. Sin embargo, las consultas con fragmentos con nombre profundamente anidados y reutilizados pueden generar muchas selecciones donde esta optimización no aplica, lo que resulta en tiempos de planificación significativamente más largos. Dado que el planificador de consultas no impone un tiempo de espera, un pequeño número de estas consultas puede inutilizar la puerta de enlace. Esto podría provocar un consumo excesivo de recursos y una denegación de servicio. Esto se ha solucionado en la versión 2.10.1 de @apollo/gateway.

07 Apr 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-07 21:15

Updated : 2025-08-01 16:50

NVD link : CVE-2025-32031

Mitre link : CVE-2025-32031

CVE.ORG link : CVE-2025-32031

JSON object : View

Products Affected

apollographql

apollo_gateway

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10