CVE-2025-32030: 
JavaScript vulnerability analysis and mitigation

Apollo Gateway, a utility for combining multiple GraphQL microservices into a single GraphQL endpoint, was found to contain a vulnerability (CVE-2025-32030) prior to version 2.10.1. The vulnerability allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved (GitHub Advisory, NVD).

The vulnerability stems from a query planning mechanism where named fragments were expanded once per fragment spread, resulting in exponential resource consumption during the planning phase. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (GitHub Advisory, NVD).

The vulnerability could lead to excessive resource consumption and denial of service when processing queries containing deeply nested and reused named fragments. The impact primarily affects the availability of the service, with no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in Apollo Gateway version 2.10.1. The fix introduces a new Query Fragment Expansion Limit metric that computes the number of selections a query would have if its fragment spreads were fully expanded, preventing excessive computation. No direct workarounds exist for unpatched versions (GitHub Advisory, Apollo Release).