CVE-2025-32034: 
Rust vulnerability analysis and mitigation

The Apollo Router Core, a configurable high-performance graph router written in Rust for running federated supergraphs with Apollo Federation 2, contained a vulnerability prior to versions 1.61.2 and 2.1.1. The vulnerability allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion (GitHub Advisory, NVD).

Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved. The vulnerability was assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue was classified as CWE-770: Allocation of Resources Without Limits or Throttling (NVD).

The vulnerability could lead to excessive resource consumption and denial of service. When exploited, the issue could render the router inoperable through uncontrolled resource consumption. All prior-released versions and configurations were vulnerable except those where persistedqueries.enabled, persistedqueries.safelist.enabled, and persistedqueries.safelist.requireid were all set to true (GitHub Advisory).

The vulnerability has been fixed in apollo-router versions 1.61.2 and 2.1.1. A new Query Fragment Expansion Limit metric was introduced to compute the number of selections a query would have if its fragment spreads were fully expanded, which is checked against a limit to prevent excessive computation. The only known workaround for unpatched versions is implementing 'Safelisting' or 'Safelisting with IDs only' using Persisted Queries (GitHub Advisory).