Access Control Bypass in Apollo Router Core Affects Configurable Graph APIs
CVE-2025-64347

7.5HIGH

Key Information:

Vendor: Apollographql
Status: Router
Vendor: CVE Published:; 7 November 2025

🔔 Create Apollographql Vulnerability Alert

What is CVE-2025-64347?

Apollo Router Core, a Rust-based graph router utilized for managing federated supergraphs through Apollo Federation 2, contains a serious vulnerability that allows unauthorized access to sensitive data. This vulnerability arises from failures in enforcing renamed access control directives, such as @authenticated and @requiresScopes, on schema elements. Due to this oversight, queries could bypass critical access controls set on specific fields and types, compromising data security. This issue has been addressed in versions 1.61.12 and 2.8.1, which reinforce enforcement protocols to protect against unauthorized data access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

router < 1.61.12 < 1.61.12

router >= 2.8.1-rc.0, < 2.8.1 < 2.8.1-rc.0, 2.8.1

References

https://github.com/apollographql/router/security/advisori...

x_refsource_CONFIRM

https://github.com/apollographql/router/commit/78e4b20a2f...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 7, 2025
Vulnerability Reserved
Oct 30, 2025

JSON

Apollographql

What is CVE-2025-64347?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.