@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields

Summary A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead...

CVE-2025-64347

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives @authenticated, @requiresScopes...

CVE-2025-64347 Apollo Router Improperly Enforces Renamed Access Control Directives

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives @authenticated, @requiresScopes...

EUVD-2025-38037

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives @authenticated, @requiresScopes...

GHSA-X33C-7C2V-MRJ9 Apollo Router Affected by an Access Control Bypass on Polymorphic Types

Summary A vulnerability in Apollo Router allowed for unauthenticated queries to access data that required additional access controls. Router incorrectly handled access control directives on interface types/fields and their implementing object types/fields, applying them to interface types/fields...