Access Control Bypass in Apollo Router Core Affects Configurable Graph APIs
CVE-2025-64347
7.5HIGH
What is CVE-2025-64347?
Apollo Router Core, a Rust-based graph router utilized for managing federated supergraphs through Apollo Federation 2, contains a serious vulnerability that allows unauthorized access to sensitive data. This vulnerability arises from failures in enforcing renamed access control directives, such as @authenticated and @requiresScopes, on schema elements. Due to this oversight, queries could bypass critical access controls set on specific fields and types, compromising data security. This issue has been addressed in versions 1.61.12 and 2.8.1, which reinforce enforcement protocols to protect against unauthorized data access.
Affected Version(s)
router < 1.61.12 < 1.61.12
router >= 2.8.1-rc.0, < 2.8.1 < 2.8.1-rc.0, 2.8.1