CVE-2025-64347

Name of the Vulnerable Software and Affected Versions Apollo Router Core versions 1.61.12-rc.0 through 1.61.12 and 2.8.1-rc.0 through 2.8.1

Description Apollo Router Core, a Rust graph router for Apollo Federation 2, had a flaw where access control directives—specifically @authenticated, @requiresScopes, and @policy—could be bypassed. This occurred when schema elements with these directives were renamed using @link imports. The router did not enforce these renamed directives, allowing unauthorized access to protected data. The issue affects versions using Apollo Federation 2. The flaw allows queries to bypass element-level access controls on schema elements like fields and types.

Recommendations Update to Apollo Router Core version 1.61.12. Update to Apollo Router Core version 2.8.1.