CVE-2025-64347

Description

# Summary A vulnerability in Apollo Router allowed for unauthorized access to protected data through schema elements with access control directives (`@authenticated`, `@requiresScopes`, and `@policy`) that were renamed via `@link` imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. ## Details Apollo Federation allows users to specify access control directives (`@authenticated`, `@requiresScopes`, and `@policy`](https://www.apollographql.com/docs/graphos/routing/security/authorization#authorization-directives)) to protect schema data access at the element level. These directives can optionally be renamed via the [`imports` argument to the `@link` directive](https://www.apollographql.com/docs/graphos/schema-design/federated-schemas/reference/directives#renaming-directives), which can be useful if their default names match an existing user-defined directive in their subgraph schema. However, Apollo Router's access control logic ignored the `imports` argument, and would accordingly ignore access control directives that were renamed in this way. ## Who Is Impacted This vulnerability impacts Apollo Router customers defining `@authenticated`, `@requiresScopes`, or `@policy` directives on schema elements that were renamed via `@link` imports are impacted. ### Scope of Impact The vulnerability could allow a malicious actor to craft a query that can bypass access control requirements on schema elements protected by renamed access control directives. ## Patches This vulnerability has been fixed in Apollo Router by updating the access control logic to handle the `imports` argument in `@link` directives. You will need to update Router to one of the following versions: - 1.61.12+ - 2.8.1+ ## Workarounds - If you are not immediately updating Router to a patched version, you should remove any renames of access control directives in the `imports` argument to the `@link` directive. - Customers not using Apollo Router with renamed access control directives (`@authenticated`, `@requiresScopes`, and `@policy`) are not affected and do not need to take action.

Affected packages (1)

• crates.io/apollo-routerfrom 0, < 1.61.12

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-64347
• PATCHhttps://github.com/apollographql/router
• WEBhttps://github.com/apollographql/router/commit/78e4b20a2fc26cc5f141aa47992ed85375266a2b
• WEBhttps://github.com/apollographql/router/security/advisories/GHSA-g8jh-vg5j-4h3f