GHSA-3j43-9v8v-cp3f: 
Rust vulnerability analysis and mitigation

The Apollo Router Core, a high-performance graph router written in Rust for Apollo Federation 2, contains a vulnerability (CVE-2025-32380) that affects versions <1.61.2 and >=2.0.0-alpha.0, <2.1.1. The vulnerability allows queries with deeply nested and reused named fragments to be prohibitively expensive to validate, potentially leading to excessive resource consumption and denial of service (GitHub Advisory, NVD).

Named fragments were being processed once per fragment spread during query validation, resulting in exponential resource usage when deeply nested and reused fragments were involved. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability can lead to excessive resource consumption and denial of service when processing queries containing deeply nested and reused named fragments. This could potentially render the router inoperable under specific query patterns (GitHub Advisory).

The vulnerability has been patched in apollo-router versions 1.61.2 and 2.1.1, where Apollo Router's usage of Apollo Compiler has been updated to process each named fragment only once, preventing redundant traversal. For unpatched systems, the only known workaround is implementing 'Safelisting with IDs only' as per Apollo GraphQL documentation. Note that the 'Safelisting' security level alone is insufficient as it still allows freeform GraphQL queries (GitHub Advisory).