CVE-2025-64347

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/apollographql/router/commit/78e4b20a2fc26cc5f141aa47992ed85375266a2b
https://github.com/apollographql/router/security/advisories/GHSA-g8jh-vg5j-4h3f

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Apollo Router Core es un router de grafo configurable en Rust escrito para ejecutar un supergrafo federado usando Apollo Federation 2. Las versiones 1.61.12-rc.0 e inferiores y 2.8.1-rc.0 permiten el acceso no autorizado a datos protegidos a través de elementos de esquema con directivas de control de acceso (@authenticated, @requiresScopes y @policy) que fueron renombrados a través de importaciones @link. El router no aplicaba las directivas de control de acceso renombradas en elementos de esquema (p. ej., campos y tipos), permitiendo que las consultas eludieran esos controles de acceso a nivel de elemento. Este problema se corrige en las versiones 1.61.12 y 2.8.1.

07 Nov 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-07 18:15

Updated : 2026-06-17 09:54

NVD link : CVE-2025-64347

Mitre link : CVE-2025-64347

CVE.ORG link : CVE-2025-64347

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

{"id": "CVE-2025-64347", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-64347", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-07T18:24:45.535593Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "apollographql", "product": "router", "versions": [{"status": "affected", "version": "< 1.61.12"}, {"status": "affected", "version": ">= 2.8.1-rc.0, < 2.8.1"}]}]}], "published": "2025-11-07T18:15:37.313", "references": [{"url": "https://github.com/apollographql/router/commit/78e4b20a2fc26cc5f141aa47992ed85375266a2b", "source": "security-advisories@github.com"}, {"url": "https://github.com/apollographql/router/security/advisories/GHSA-g8jh-vg5j-4h3f", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1."}, {"lang": "es", "value": "Apollo Router Core es un router de grafo configurable en Rust escrito para ejecutar un supergrafo federado usando Apollo Federation 2. Las versiones 1.61.12-rc.0 e inferiores y 2.8.1-rc.0 permiten el acceso no autorizado a datos protegidos a trav\u00e9s de elementos de esquema con directivas de control de acceso (@authenticated, @requiresScopes y @policy) que fueron renombrados a trav\u00e9s de importaciones @link. El router no aplicaba las directivas de control de acceso renombradas en elementos de esquema (p. ej., campos y tipos), permitiendo que las consultas eludieran esos controles de acceso a nivel de elemento. Este problema se corrige en las versiones 1.61.12 y 2.8.1."}], "lastModified": "2026-06-17T09:54:15.037", "sourceIdentifier": "security-advisories@github.com"}