CVE-2025-32032
📋 TL;DR
A denial-of-service vulnerability in Apollo Router allows attackers to craft GraphQL queries with deeply nested and reused named fragments that bypass internal optimizations, causing excessive query planning time that can exhaust thread pools and render the router inoperable. This affects all Apollo Router deployments running vulnerable versions. The vulnerability requires no authentication and can be triggered by any client that can send GraphQL queries.
💻 Affected Systems
- Apollo Router Core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage where the Apollo Router becomes unresponsive, affecting all GraphQL operations and potentially cascading to dependent services.
Likely Case
Degraded performance or intermittent denial of service as thread pools become exhausted, impacting legitimate query processing.
If Mitigated
Minimal impact with proper query timeouts, rate limiting, and updated versions preventing the expensive planning scenarios.
🎯 Exploit Status
Exploitation requires crafting specific GraphQL queries but no authentication or special privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.61.2 or 2.1.1
Vendor Advisory: https://github.com/apollographql/router/security/advisories/GHSA-94hh-jmq8-2fgp
Restart Required: Yes
Instructions:
1. Identify current Apollo Router version. 2. Update to version 1.61.2 (for 1.x) or 2.1.1 (for 2.x). 3. Restart the router service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Implement Query Timeouts
allConfigure query execution timeouts to limit how long expensive queries can run.
Configure in Apollo Router YAML: supergraph:
query_planning:
experimental_cache:
enabled: true
timeout: "5s"
Rate Limit Queries
allImplement rate limiting at the network or application layer to prevent query flooding.
Use API gateway or load balancer rate limiting rules
🧯 If You Can't Patch
- Implement strict query validation to reject queries with deeply nested fragments.
- Deploy network-level protections like WAF rules to detect and block malicious GraphQL patterns.
🔍 How to Verify
Check if Vulnerable:
Check Apollo Router version against affected ranges: versions <1.61.2 or 2.x <2.1.1.Check Version:
apollo-router --versionVerify Fix Applied:
Confirm version is 1.61.2 or higher for 1.x, or 2.1.1 or higher for 2.x.📡 Detection & Monitoring
Log Indicators:
- Unusually long query planning times in logs
- Thread pool exhaustion warnings
- Increased CPU usage without corresponding query volume
Network Indicators:
- Spikes in GraphQL query response times
- Increased error rates for legitimate queries
SIEM Query:
source="apollo-router" AND ("query planning" OR "thread pool") AND (duration>5s OR error)