CVE-2025-64173
BaseFortify
Publication date: 2025-11-06
Last updated on: 2025-11-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apollo | router | 2.0.0-alpha.0 |
| apollo | router | 1.61.12 |
| apollo | router | 2.8.1-rc.0 |
| apollo | router | 1.61.11 |
| apollo | router | 2.8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apollo Router Core occurs because the router incorrectly handles access control directives on interface types/fields and their implementing object types/fields. Specifically, it applies access control directives to interface types/fields but ignores directives on their implementing object types/fields when all implementations have the same requirements. This flaw allows unauthenticated queries to access data that should require additional access controls, impacting customers who define @authenticated, @requiresScopes, or @policy directives inconsistently on polymorphic types.
How can this vulnerability impact me? :
The vulnerability can allow unauthenticated users to access sensitive data that should be protected by access control directives. This means that data requiring authentication or specific scopes could be exposed to unauthorized parties, potentially leading to data breaches or unauthorized data disclosure.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Apollo Router Core to version 1.61.12 or 2.8.1 or later, as these versions contain the fix for the vulnerability. Additionally, review and ensure consistent application of @authenticated, @requiresScopes, or @policy directives on polymorphic types in your schema to avoid inconsistent access control.