CVE-2025-64173: 
Rust vulnerability analysis and mitigation

Apollo Router Core, a configurable graph router written in Rust for running federated supergraphs using Apollo Federation 2, was found to contain a vulnerability in versions 1.61.11 and below, as well as versions 2.0.0-alpha.0 through 2.8.1-rc.0. The vulnerability (CVE-2025-64173) allowed unauthenticated queries to access data that should have been protected by additional access controls (NVD, GitHub Advisory).

The vulnerability stems from incorrect handling of access control directives on interface types/fields and their implementing object types/fields. The router would apply directives to interface types/fields while ignoring directives on their implementing object types/fields when all implementations had the same requirements. This affected Apollo Router customers who defined @authenticated, @requiresScopes, or @policy directives inconsistently on polymorphic types. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability could allow malicious actors to bypass access control requirements on object types/fields by querying them through implemented interface types/fields that don't have the same access control requirements. This could result in unauthorized access to protected data (Miggo).

The vulnerability has been fixed in Apollo Router versions 1.61.12 and 2.8.1. Users are advised to upgrade to these patched versions. For those unable to update immediately, a workaround is available: apply any included access control requirements to both the appropriate interface types/fields and their implementations (GitHub Advisory).