CVE-2025-64347
📋 TL;DR
Apollo Router Core versions 1.61.12-rc.0 and below and 2.8.1-rc.0 and below have an access control bypass vulnerability. When schema elements with access control directives (@authenticated, @requiresScopes, @policy) are renamed via @link imports, the router fails to enforce those directives, allowing unauthorized queries to access protected data. This affects all deployments using Apollo Router with renamed access control directives.
💻 Affected Systems
- Apollo Router Core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete bypass of all access controls on protected GraphQL fields and types, exposing sensitive data to unauthenticated users.
Likely Case
Partial access control bypass on specific renamed protected elements, potentially exposing some sensitive data.
If Mitigated
Limited exposure if additional network or application-level controls exist, but GraphQL-level access controls remain compromised.
🎯 Exploit Status
Exploitation requires knowledge of renamed directive names and protected schema elements.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.61.12 and 2.8.1
Vendor Advisory: https://github.com/apollographql/router/security/advisories/GHSA-g8jh-vg5j-4h3f
Restart Required: Yes
Instructions:
1. Update Apollo Router to version 1.61.12 or 2.8.1 or higher. 2. Restart the router service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Remove @link directive renaming
allTemporarily remove @link imports that rename access control directives until patching is possible.
🧯 If You Can't Patch
- Implement network-level access controls to restrict GraphQL endpoint access.
- Add application-level authorization checks before processing GraphQL queries.
🔍 How to Verify
Check if Vulnerable:
Check if Apollo Router version is 1.61.12-rc.0 or below, or 2.8.1-rc.0 or below, and if @link imports rename @authenticated, @requiresScopes, or @policy directives.Check Version:
apollo-router --versionVerify Fix Applied:
Verify Apollo Router version is 1.61.12 or higher (for v1) or 2.8.1 or higher (for v2).📡 Detection & Monitoring
Log Indicators:
- Unusual query patterns accessing previously protected fields
- Access denied errors missing for renamed protected elements
Network Indicators:
- GraphQL queries to renamed protected elements without authentication headers
SIEM Query:
graphql_query:* AND (NOT auth_token:*) AND (field_name:renamed_protected_field OR type_name:renamed_protected_type)