Vulnerability Description
Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. In versions 1.61.11 below, as well as 2.0.0-alpha.0 through 2.8.1-rc.0, a vulnerability allowed for unauthenticated queries to access data that required additional access controls. Router incorrectly handled access control directives on interface types/fields and their implementing object types/fields, applying them to interface types/fields while ignoring directives on their implementing object types/fields when all implementations had the same requirements. Apollo Router customers defining @authenticated, @requiresScopes, or @policy directives inconsistently on polymorphic types (i.e., object types that implement interface types) are impacted. This issue is fixed in versions 1.61.12 and 2.8.1.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/apollographql/router/releases/tag/v2.8.1
- https://github.com/apollographql/router/security/advisories/GHSA-x33c-7c2v-mrj9
- https://www.apollographql.com/docs/graphos/routing/security/authorization#author
FAQ
What is CVE-2025-64173?
CVE-2025-64173 is a vulnerability with a CVSS score of 7.5 (HIGH). Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. In versions 1.61.11 below, as well as 2.0.0-alpha.0 through 2.8.1-rc.0, a vul...
How severe is CVE-2025-64173?
CVE-2025-64173 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64173?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.