CVE-2025-32380
📋 TL;DR
A denial-of-service vulnerability in Apollo Router Core allows attackers to craft GraphQL queries with deeply nested and reused named fragments that cause excessive resource consumption during validation. This affects all systems running vulnerable versions of Apollo Router, potentially leading to service unavailability. The vulnerability stems from redundant traversal of named fragments during query validation.
💻 Affected Systems
- Apollo Router Core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to CPU/memory exhaustion, rendering the GraphQL endpoint unavailable to legitimate users.
Likely Case
Degraded performance and intermittent service disruptions when malicious queries are processed.
If Mitigated
Minimal impact with proper rate limiting, query depth limiting, and monitoring in place.
🎯 Exploit Status
Exploitation requires only the ability to send GraphQL queries, which is typically unauthenticated. Crafting malicious queries with nested fragments is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.61.2 or 2.1.1
Vendor Advisory: https://github.com/apollographql/router/security/advisories/GHSA-3j43-9v8v-cp3f
Restart Required: Yes
Instructions:
1. Identify current Apollo Router version. 2. Update to version 1.61.2 (for 1.x) or 2.1.1 (for 2.x). 3. Restart the Apollo Router service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Implement Query Depth Limiting
allConfigure Apollo Router to reject queries exceeding a maximum depth threshold
Add 'limits.max_depth' configuration in router.yaml
Enable Query Cost Analysis
allConfigure query cost analysis to reject expensive queries before validation
Configure 'experimental_cost_analysis' in router.yaml
🧯 If You Can't Patch
- Implement strict rate limiting and WAF rules to block queries with excessive nesting
- Deploy Apollo Router behind a reverse proxy with request size and complexity limits
🔍 How to Verify
Check if Vulnerable:
Check Apollo Router version: if version is below 1.61.2 (for 1.x) or below 2.1.1 (for 2.x), the system is vulnerable.Check Version:
apollo-router --versionVerify Fix Applied:
Confirm version is 1.61.2 or higher (1.x) or 2.1.1 or higher (2.x) and test with sample nested fragment queries.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Slow query processing times
- Query validation timeout errors
- Increased memory consumption
Network Indicators:
- Large GraphQL query payloads
- Repeated queries with similar fragment structures
- Sudden increase in query response times
SIEM Query:
source="apollo-router" AND ("validation" OR "query") AND ("timeout" OR "slow" OR "memory")