CVE-2025-64173

Name of the Vulnerable Software and Affected Versions Apollo Router Core versions 1.61.11 and earlier Apollo Router Core versions 2.0.0-alpha.0 through 2.8.1-rc.0

Description Apollo Router Core, a configurable graph router written in Rust for Apollo Federation 2, had an access control issue. The router incorrectly managed access control directives on interface types and fields, and their corresponding object types and fields. Specifically, it applied directives to interface types and fields while overlooking directives on the implementing object types and fields when all implementations shared the same requirements. This allowed unauthenticated queries to access data that should have been protected by access controls. Customers using @authenticated, @requiresScopes, or @policy directives on polymorphic types were potentially affected.

Recommendations Update to Apollo Router Core version 1.61.12 or later. Update to Apollo Router Core version 2.8.1 or later.