Vulnerability Description
Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/apollographql/router/commit/78e4b20a2fc26cc5f141aa47992ed8537
- https://github.com/apollographql/router/security/advisories/GHSA-g8jh-vg5j-4h3f
FAQ
What is CVE-2025-64347?
CVE-2025-64347 is a vulnerability with a CVSS score of 7.5 (HIGH). Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to prot...
How severe is CVE-2025-64347?
CVE-2025-64347 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64347?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.