CVE-2025-32034
📋 TL;DR
A denial-of-service vulnerability in Apollo Router Core allows attackers to craft GraphQL queries with deeply nested and reused named fragments that cause exponential resource consumption during query planning. This affects all Apollo Router deployments running versions before 1.61.2 (v1 series) or 2.1.1 (v2 series). The vulnerability can be exploited by anyone who can send queries to the GraphQL endpoint.
💻 Affected Systems
- Apollo Router Core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU/memory exhaustion, potentially requiring service restart and causing extended downtime.
Likely Case
Degraded performance and intermittent service disruptions when malicious queries are processed, impacting legitimate users.
If Mitigated
Minimal impact with proper query complexity limits and monitoring in place, though still vulnerable to targeted attacks.
🎯 Exploit Status
Exploitation requires only the ability to send GraphQL queries, which is typically unauthenticated. Crafting malicious queries with nested fragments is straightforward for attackers familiar with GraphQL.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.61.2 for v1 series, 2.1.1 for v2 series
Vendor Advisory: https://github.com/apollographql/router/security/advisories/GHSA-75m2-jhh5-j5g2
Restart Required: Yes
Instructions:
1. Identify current Apollo Router version. 2. Update to 1.61.2+ (v1) or 2.1.1+ (v2) using your package manager or deployment method. 3. Restart the Apollo Router service. 4. Verify the new version is running.
🔧 Temporary Workarounds
Implement Query Complexity Limits
allConfigure query depth and complexity limits to prevent deeply nested queries
# In Apollo Router configuration (router.yaml):
# query_planning:
# experimental_cache:
# enabled: true
# limits:
# max_depth: 10
# max_aliases: 10
# max_complexity: 1000
Rate Limit Query Requests
allImplement rate limiting at the network or application layer to limit query volume
# Using nginx as reverse proxy:
# limit_req_zone $binary_remote_addr zone=graphql:10m rate=10r/s;
# location /graphql {
# limit_req zone=graphql burst=20 nodelay;
# proxy_pass http://apollo-router:4000;
# }
🧯 If You Can't Patch
- Implement strict query validation and filtering at the edge (WAF, API gateway) to block queries with excessive nesting
- Deploy monitoring and alerting for abnormal CPU/memory usage patterns with automated query termination
🔍 How to Verify
Check if Vulnerable:
Check Apollo Router version: if running v1 series <1.61.2 or v2 series <2.1.1, system is vulnerableCheck Version:
apollo-router --version or check deployment manifest/configurationVerify Fix Applied:
Confirm version is 1.61.2+ (v1) or 2.1.1+ (v2) and test with sample nested fragment queries to ensure normal performance📡 Detection & Monitoring
Log Indicators:
- Unusually long query planning times in logs
- High CPU/memory usage spikes correlated with GraphQL queries
- Query timeouts or 5xx errors
Network Indicators:
- Large GraphQL query payloads with repeated fragment patterns
- Sudden increase in query volume from single sources
SIEM Query:
source="apollo-router" ("query_planning" AND "timeout") OR ("cpu_usage" > 90 AND "graphql_query")