CVE-2025-64530
📋 TL;DR
This vulnerability in Apollo Federation allows GraphQL queries to bypass access controls on interface types/fields by querying implementing object types/fields instead. It affects users of Apollo Federation versions prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 who use access control directives on interface types/fields.
💻 Affected Systems
- Apollo Federation
- Apollo Router
- Apollo Studio
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users gain access to sensitive data or functionality that should be protected by access controls, potentially exposing confidential information or allowing unauthorized operations.
Likely Case
Attackers bypass authentication or authorization checks to access data they shouldn't have permission to view, leading to data exposure.
If Mitigated
With proper network segmentation and additional authentication layers, impact is limited to specific GraphQL endpoints only.
🎯 Exploit Status
Exploitation requires knowledge of GraphQL schema structure and the ability to craft specific queries with inline fragments targeting implementing object types.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.5, 2.10.4, 2.11.5, or 2.12.1
Vendor Advisory: https://github.com/apollographql/federation/security/advisories/GHSA-mx7m-j9xf-62hw
Restart Required: Yes
Instructions:
1. Update Apollo Federation composition logic to version 2.9.5, 2.10.4, 2.11.5, or 2.12.1. 2. Update Apollo Router if using. 3. Regenerate supergraph schema. 4. Restart services.
🔧 Temporary Workarounds
Manual Access Control Duplication
allManually copy access control directives from interface types/fields to each implementing object type/field
🧯 If You Can't Patch
- Implement network-level access controls to restrict GraphQL endpoint access
- Add additional authentication/authorization layers before GraphQL queries reach Apollo Router
🔍 How to Verify
Check if Vulnerable:
Check if using Apollo Federation versions prior to 2.9.5, 2.10.4, 2.11.5, or 2.12.1 AND using @authenticated, @requiresScopes, or @policy directives on interface types/fieldsCheck Version:
Check package.json or build configuration for Apollo Federation versionVerify Fix Applied:
Verify Federation version is 2.9.5+, 2.10.4+, 2.11.5+, or 2.12.1+ and test that access controls cannot be bypassed via inline fragments📡 Detection & Monitoring
Log Indicators:
- Unusual GraphQL query patterns with inline fragments targeting implementing types
- Access to endpoints that should be protected by access controls
Network Indicators:
- GraphQL queries containing inline fragments on types with access controls
SIEM Query:
graphql.query contains '... on' AND (endpoint contains 'protected' OR response_code = 200 for unauthorized users)