Wiz
Vulnerability DatabaseCVE-2025-64347

CVE-2025-64347
Rust vulnerability analysis and mitigation

Overview

Apollo Router Core, a configurable Rust graph router for federated supergraph using Apollo Federation 2, was found to contain a security vulnerability (CVE-2025-64347) that allowed unauthorized access to protected data. The vulnerability affected versions 1.61.12-rc.0 and below, and 2.8.1-rc.0, where access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports were not properly enforced. This vulnerability was discovered and disclosed on November 5, 2025 (GitHub Advisory).

Technical details

The vulnerability stems from Apollo Router's access control logic failing to handle the imports argument in @link directives properly. When access control directives were renamed using the @link directive's imports argument, the router would ignore these renamed directives entirely, effectively bypassing the access control requirements on protected schema elements. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a network-accessible vulnerability requiring no privileges or user interaction to exploit (GitHub Advisory).

Impact

The vulnerability could allow malicious actors to bypass access control requirements on schema elements that were protected by renamed access control directives. This could lead to unauthorized access to protected data, potentially exposing sensitive information that should have been restricted by the authentication and authorization controls (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in Apollo Router versions 1.61.12 and 2.8.1 by updating the access control logic to properly handle the imports argument in @link directives. For users unable to immediately update to a patched version, a workaround is available by removing any renames of access control directives in the imports argument to the @link directive. Users not using Apollo Router with renamed access control directives are not affected and require no action (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Rust vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-64347HIGH7.5
  • RustRust
  • apollo-router
NoYesNov 07, 2025
CVE-2025-64173HIGH7.5
  • RustRust
  • apollo-router
NoYesNov 06, 2025
CVE-2025-62596HIGH7.3
  • RustRust
  • youki
NoYesNov 06, 2025
CVE-2025-62161HIGH7.3
  • RustRust
  • youki
NoYesNov 06, 2025
GHSA-7vjm-6qgq-3mrqLOWN/A
  • RustRust
  • shaman
NoNoNov 03, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo