CVE-2025-64173
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-06

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. In versions 1.61.11 below, as well as 2.0.0-alpha.0 through 2.8.1-rc.0, a vulnerability allowed for unauthenticated queries to access data that required additional access controls. Router incorrectly handled access control directives on interface types/fields and their implementing object types/fields, applying them to interface types/fields while ignoring directives on their implementing object types/fields when all implementations had the same requirements. Apollo Router customers defining @authenticated, @requiresScopes, or @policy directives inconsistently on polymorphic types (i.e., object types that implement interface types) are impacted. This issue is fixed in versions 1.61.12 and 2.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-06
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64173
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
apollo router 2.0.0-alpha.0
apollo router 1.61.12
apollo router 2.8.1-rc.0
apollo router 1.61.11
apollo router 2.8.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apollo Router Core occurs because the router incorrectly handles access control directives on interface types/fields and their implementing object types/fields. Specifically, it applies access control directives to interface types/fields but ignores directives on their implementing object types/fields when all implementations have the same requirements. This flaw allows unauthenticated queries to access data that should require additional access controls, impacting customers who define @authenticated, @requiresScopes, or @policy directives inconsistently on polymorphic types.

Impact Analysis

The vulnerability can allow unauthenticated users to access sensitive data that should be protected by access control directives. This means that data requiring authentication or specific scopes could be exposed to unauthorized parties, potentially leading to data breaches or unauthorized data disclosure.

Mitigation Strategies

Upgrade Apollo Router Core to version 1.61.12 or 2.8.1 or later, as these versions contain the fix for the vulnerability. Additionally, review and ensure consistent application of @authenticated, @requiresScopes, or @policy directives on polymorphic types in your schema to avoid inconsistent access control.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart