CVE-2025-32032: 
Rust vulnerability analysis and mitigation

The Apollo Router Core, a high-performance graph router written in Rust for running federated supergraphs with Apollo Federation 2, was found to contain a critical vulnerability (CVE-2025-32032). The vulnerability was discovered on April 7, 2025, affecting versions prior to 1.61.2 and 2.1.1. The flaw allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed (NVD, GitHub Advisory).

The vulnerability stems from the query planner's optimization mechanism. While the planner includes optimizations to speed up planning for applicable GraphQL selections, queries containing deeply nested and reused named fragments can generate many selections where these optimizations do not apply. The absence of a query planner timeout allows these queries to consume excessive resources. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without requiring privileges or user interaction (GitHub Advisory).

The exploitation of this vulnerability can lead to excessive resource consumption and denial of service. When exploited, a small number of specially crafted queries can exhaust the router's thread pool, effectively rendering it inoperable. This can significantly impact the availability of services relying on the Apollo Router (GitHub Advisory).

The vulnerability has been patched in apollo-router versions 1.61.2 and 2.1.1. A new Query Optimization Limit metric has been implemented to approximate the number of selections that cannot be skipped by the existing optimization, which is checked against a limit to prevent excessive computation. For users unable to update immediately, the only known workaround is implementing 'Safelisting' or 'Safelisting with IDs only' as per Apollo GraphQL's documentation (GitHub Advisory).