Description

Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. In versions 1.61.11 below, as well as 2.0.0-alpha.0 through 2.8.1-rc.0, a vulnerability allowed for unauthenticated queries to access data that required additional access controls. Router incorrectly handled access control directives on interface types/fields and their implementing object types/fields, applying them to interface types/fields while ignoring directives on their implementing object types/fields when all implementations had the same requirements. Apollo Router customers defining @authenticated, @requiresScopes, or @policy directives inconsistently on polymorphic types (i.e., object types that implement interface types) are impacted. This issue is fixed in versions 1.61.12 and 2.8.1.

INFO

Published Date :

2025-11-06T20:42:51.785Z

Last Modified :

2025-11-06T20:42:51.785Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64173 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64173.

URL Resource
https://github.com/apollographql/router/releases/tag/v2.8.1 cve-icon cve-icon
https://github.com/apollographql/router/security/advisories/GHSA-x33c-7c2v-mrj9 cve-icon cve-icon
https://www.apollographql.com/docs/graphos/routing/security/authorization#authorization-directives cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact