Description

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1.

INFO

Published Date :

2025-11-07T17:47:28.360Z

Last Modified :

2025-11-07T18:25:59.775Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64347 vulnerability.

Vendors Products
Apollographql
  • Apollo-router
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64347.

URL Resource
https://github.com/apollographql/router/commit/78e4b20a2fc26cc5f141aa47992ed85375266a2b cve-icon cve-icon
https://github.com/apollographql/router/security/advisories/GHSA-g8jh-vg5j-4h3f cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact