PT-2025-15296 · Apollo · Apollo Router Core
Published
2025-04-07
·
Updated
2025-04-08
·
CVE-2025-32032
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Apollo Router Core versions prior to 1.61.2
Apollo Router Core versions prior to 2.1.1
Description
A vulnerability in the Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, due to internal optimizations being frequently bypassed. This could lead to excessive resource consumption and denial of service, as the query planner does not enforce a timeout, allowing a small number of such queries to exhaust the router's thread pool.
Recommendations
For Apollo Router Core versions prior to 1.61.2, update to version 1.61.2 or later to resolve the issue.
For Apollo Router Core versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue.
As a temporary workaround, consider implementing a timeout for the query planner to prevent excessive resource consumption.
Exploit
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apollo Router Core