GHSA-M8JR-FXQX-8XX6 Apollo Federation has Improper Enforcement of Access Control on Transitive Fields

Summary A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields...

EUVD-2025-197661

Apollo Federation has Improper Enforcement of Access Control on Transitive Fields...

Incorrect Authorization

Overview @apollo/composition is an Apollo Federation composition utilities Affected versions of this package are vulnerable to Incorrect Authorization via the composition logic, which failed to validate that fields have the same access control requirements as the data they reference. An attacker...

EUVD-2025-180542

@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields...

GHSA-MX7M-J9XF-62HW @apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields

Summary A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead...

@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields

Summary A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead...

Authentication Bypass Using an Alternate Path or Channel

Overview @apollo/composition is an Apollo Federation composition utilities Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel. An attacker can gain unauthorized access to restricted interface types or fields by crafting queries that target...

CVE-2025-64530

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. A vulnerability in versions of Apollo Federation's composition logic prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 allowed some queries to Apollo Router to improperly bypass access controls on types/fields...

CVE-2025-64530

The CVE describes a vulnerability in Apollo Federation’s composition logic: in versions prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1, queries could bypass access controls on interface types/fields by querying implementing object types/fields via inline fragments, due to user-defined access control ...

CVE-2025-64530 @apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. A vulnerability in versions of Apollo Federation's composition logic prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 allowed some queries to Apollo Router to improperly bypass access controls on types/fields...

CVE-2025-64530 @apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. A vulnerability in versions of Apollo Federation's composition logic prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 allowed some queries to Apollo Router to improperly bypass access controls on types/fields...

CVE-2025-64530 @apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. A vulnerability in versions of Apollo Federation's composition logic prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 allowed some queries to Apollo Router to improperly bypass access controls on types/fields...

EUVD-2025-180383

Malicious code in apollo-nodejs-helmet-loglevel npm...

EUVD-2025-180384

Malicious code in apollo-ini-grunt-radiant npm...

EUVD-2025-180382

Malicious code in apollo-redgiant-kardashevscale-pino npm...

EUVD-2025-178418

Malicious code in inflation-apollo-rocket-higgs npm...

EUVD-2025-180388

Malicious code in apollo-dotenv-parse-variables-stratigraphy-private npm...

EUVD-2025-178857

Malicious code in fork-winston-apollo-yaml npm...

Malicious code in envconfig-apollo-dependencies-update (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dc6efee11ebc8382fbece0fc1803392ff0837ae4af2341841d4b417793e252fe This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-179010

Malicious code in europa-umbriel-solis-apollo npm...