CVE-2025-64530

Name of the Vulnerable Software and Affected Versions Apollo Federation versions prior to 2.9.5 Apollo Federation versions prior to 2.10.4 Apollo Federation versions prior to 2.11.5 Apollo Federation versions prior to 2.12.1

Description Apollo Federation is an architecture for composing APIs into a unified graph. A flaw in the composition logic of Apollo Federation allowed queries to bypass access controls on types and fields. Specifically, user-defined access control directives on interface types and fields could be bypassed by querying the implementing object types and fields using inline fragments in Apollo Router. The fix disallows user-defined access control directives on interface types and fields.

Recommendations Update to Apollo Federation version 2.9.5 or later. Update to Apollo Federation version 2.10.4 or later. Update to Apollo Federation version 2.11.5 or later. Update to Apollo Federation version 2.12.1 or later. For users of Apollo Rover with an unpatched composition version or using the Apollo Studio build pipeline with Federation version 2.8 or below, manually copy access control requirements from interface types/fields to each implementing object type/field. Do not remove access control requirements from interface types/fields if using an unpatched Apollo Composition version.