CVE-2025-64173
📋 TL;DR
This vulnerability in Apollo Router Core allows unauthenticated GraphQL queries to bypass access controls on polymorphic types when @authenticated, @requiresScopes, or @policy directives are inconsistently applied between interface types and their implementing object types. Organizations using Apollo Router with federated supergraphs and authorization directives on polymorphic types are affected. The flaw enables unauthorized data access despite configured security requirements.
💻 Affected Systems
- Apollo Router Core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive data from all GraphQL endpoints protected by authorization directives on polymorphic types, potentially exposing confidential information, personal data, or proprietary business logic.
Likely Case
Unauthorized access to some protected GraphQL fields and data that should require authentication or specific scopes, leading to data exposure and potential compliance violations.
If Mitigated
Limited impact if organizations have additional network-level controls, rate limiting, or comprehensive monitoring that detects unusual query patterns.
🎯 Exploit Status
Exploitation requires knowledge of GraphQL schema structure and authorization directives, but no authentication is needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.61.12 or 2.8.1
Vendor Advisory: https://github.com/apollographql/router/security/advisories/GHSA-x33c-7c2v-mrj9
Restart Required: Yes
Instructions:
1. Identify your Apollo Router version. 2. Upgrade to version 1.61.12 if using v1.x, or 2.8.1 if using v2.x. 3. Restart the router service. 4. Verify the update by checking the version and testing authorization controls.
🔧 Temporary Workarounds
Remove inconsistent authorization directives
allTemporarily remove or standardize @authenticated, @requiresScopes, and @policy directives across all polymorphic types to ensure consistent application between interface types and their implementing object types.
Implement query validation middleware
allAdd custom GraphQL validation middleware that checks authorization consistency before processing queries.
🧯 If You Can't Patch
- Implement network-level access controls to restrict GraphQL endpoint access to authorized users only
- Enable comprehensive logging and monitoring for unusual query patterns targeting polymorphic types
🔍 How to Verify
Check if Vulnerable:
Check if using affected Apollo Router versions (1.61.11 or below, or 2.0.0-alpha.0 through 2.8.1-rc.0) and review GraphQL schema for inconsistent @authenticated, @requiresScopes, or @policy directives on polymorphic types.Check Version:
apollo-router --versionVerify Fix Applied:
After upgrading to 1.61.12 or 2.8.1, test authorization controls on polymorphic types by attempting unauthenticated queries that should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual query patterns targeting polymorphic types without authentication tokens
- GraphQL queries that bypass expected authorization controls
Network Indicators:
- Increased GraphQL query volume from unauthenticated sources
- Queries accessing fields with authorization directives without proper credentials
SIEM Query:
source="apollo-router" AND (query_contains="interface" OR query_contains="implements") AND NOT auth_token_exists