CVE-2025-64173: 
Rust vulnerability analysis and mitigation

Apollo Router Core, a configurable graph router written in Rust for running federated supergraphs using Apollo Federation 2, was found to contain a vulnerability in versions 1.61.11 and below, as well as versions 2.0.0-alpha.0 through 2.8.1-rc.0. The vulnerability allowed unauthenticated queries to access data that required additional access controls. This security issue was discovered and disclosed on November 6, 2025 (GitHub Advisory).

The vulnerability stems from incorrect handling of access control directives on interface types/fields and their implementing object types/fields. The router applied directives to interface types/fields while ignoring directives on their implementing object types/fields when all implementations had the same requirements. This affected Apollo Router customers who defined @authenticated, @requiresScopes, or @policy directives inconsistently on polymorphic types. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (GitHub Advisory).

The vulnerability could allow malicious actors to bypass access control requirements on object types/fields by querying them via implemented interface types/fields that don't have the same access control requirements. This could result in unauthorized access to protected data (GitHub Advisory).

The issue has been fixed in Apollo Router versions 1.61.12 and 2.8.1. Users are advised to upgrade to these patched versions. For those unable to update immediately, a workaround is to ensure that access control requirements are consistently applied to both interface types/fields and their implementations (GitHub Advisory).