MAL-2025-139530 Malicious code in apollo-server-terser-webpack-plugin-quantum (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 242351a23e7cfbb27df8dcfbf0a3ce9e20b76ec9c4b6267b770b2fa7c8a05448 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in regulus-geckodriver-apollo-ignite (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d86803956b94c8ff513b4ef9bea65fe82c6737e4b0244a4e7a7456162559bd4b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in uninstall-apollo-gacrux-dependencies (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b5519f459b0ae7839ec0ab31389af3597e630d33968dd80b319073346517cae0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2025-64347

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives @authenticated, @requiresScopes...

CVE-2025-64173

Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. In versions 1.61.11 below, as well as 2.0.0-alpha.0 through 2.8.1-rc.0, a vulnerability allowed for unauthenticated queries to access data that required additional access...

CVE-2025-64347

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives @authenticated, @requiresScopes...

CVE-2025-64347 Apollo Router Improperly Enforces Renamed Access Control Directives

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives @authenticated, @requiresScopes...

CVE-2025-64347 Apollo Router Improperly Enforces Renamed Access Control Directives

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives @authenticated, @requiresScopes...

CVE-2025-64347 Apollo Router Improperly Enforces Renamed Access Control Directives

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives @authenticated, @requiresScopes...

EUVD-2025-38037

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives @authenticated, @requiresScopes...

CVE-2025-64347

CVE-2025-64347 concerns Apollo Router Core. Affected: Router Core with Apollo Federation 2, specifically versions 1.61.12-rc.0 and below, and 2.8.1-rc.0 and below. Root cause: access control directives renamed via @link imports were not enforced on renamed schema elements (e.g., fields and types)...

Apollo Router Core 访问控制错误漏洞

Apollo Router Core is a router core application for the Apollo community. An access control error vulnerability exists in Apollo Router Core versions 1.61.12-rc.0 and earlier and 2.8.1-rc.0, which stems from not enforcing renamed access control commands, which could lead to bypassing element-leve...

CVE-2025-64173

Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. In versions 1.61.11 below, as well as 2.0.0-alpha.0 through 2.8.1-rc.0, a vulnerability allowed for unauthenticated queries to access data that required additional access...

CVE-2025-64173 Apollo Router Core: Access Control Bypass on Polymorphic Types

Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. In versions 1.61.11 below, as well as 2.0.0-alpha.0 through 2.8.1-rc.0, a vulnerability allowed for unauthenticated queries to access data that required additional access...

CVE-2025-64173

CVE-2025-64173 affects Apollo Router Core (Rust) in versions 1.61.11 and earlier and 2.0.0-alpha.0 through 2.8.1-rc.0. The vulnerability stems from incorrect handling of access control directives on interface types/fields and their implementing object types/fields, causing unauthenticated queries...

CVE-2025-64173 Apollo Router Core: Access Control Bypass on Polymorphic Types

Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. In versions 1.61.11 below, as well as 2.0.0-alpha.0 through 2.8.1-rc.0, a vulnerability allowed for unauthenticated queries to access data that required additional access...

inigo-rs (>=0.1.5 <=0.27.8) potentially affected by CVE-2025-64173 via apollo-router (=1.2.1)

apollo-router CARGO version =1.2.1 is affected by a known vulnerability. The following packages have a transitive dependency on apollo-router and may be impacted: - inigo-rs =0.1.5, =0.27.8 Source cves: CVE-2025-64173 Source advisory: OSV:GHSA-X33C-7C2V-MRJ9...

EUVD-2025-38036

Apollo Router Affected by an Access Control Bypass on Polymorphic Types...

Apollo Router Affected by an Access Control Bypass on Polymorphic Types

Summary A vulnerability in Apollo Router allowed for unauthenticated queries to access data that required additional access controls. Router incorrectly handled access control directives on interface types/fields and their implementing object types/fields, applying them to interface types/fields...

inigo-rs (>=0.1.5 <=0.27.8) potentially affected by CVE-2025-64347 via apollo-router (=1.2.1)

apollo-router CARGO version =1.2.1 is affected by a known vulnerability. The following packages have a transitive dependency on apollo-router and may be impacted: - inigo-rs =0.1.5, =0.27.8 Source cves: CVE-2025-64347 Source advisory: OSV:GHSA-G8JH-VG5J-4H3F...