7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64173

CVE-2025-64173: Apollo Router Affected by an Access Control Bypass on Polymorphic Types

Summary

A vulnerability in Apollo Router allowed for unauthenticated queries to access data that required additional access controls. Router incorrectly handled access control directives on interface types/fields and their implementing object types/fields, applying them to interface types/fields while ignoring directives on their implementing object types/fields when all implementations had the same requirements.

Details

Apollo Federation allows users to specify access control directives (@authenticated, @requiresScopes, and @policy) to protect object and interface types and fields. However, the GraphQL specification does not define inheritance rules for directives from interfaces to their implementations. Apollo Router will enforce any directives on the interface types/fields but ignore any directives on the implementation object types/fields (as long as all implementations have the same requirements). This inconsistent enforcement behavior leads to unexpected runtime security gaps.

Who is impacted

This vulnerability impacts Apollo Router customers defining @authenticated, @requiresScopes, or @policy directives inconsistently on polymorphic types (i.e., object types that implement interface types). Specifically, if the same access control directives are applied to all implementing types/fields but not on their implemented interface types/fields, they could be impacted.

Scope of Impact

This vulnerability could allow a malicious actor to craft a query that can bypass access control requirements on the object types/fields by instead querying them via implemented interface types/fields that don't have the same access control requirements.

Patches

This vulnerability has been fixed at runtime in Apollo Router. You may update Router to one of the following versions:

1.61.12+
2.8.1+

Workarounds

If you are not immediately updating Router to a patched version, you should apply any included access control requirements to both the appropriate interface types/fields and their implementations.
Customers not using Apollo Router access control features (@authenticated, @requiresScopes, or @policy directives) or not specifying inconsistent access control requirements on polymorphic types/fields are not affected and do not need to take action.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64173

CVE-2025-64173:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
apollo-router	rust	< 1.61.12	1.61.12
apollo-router	rust	>= 2.0.0-alpha.0, < 2.8.1	2.8.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in how the Apollo Router's authorization plugin handles polymorphic GraphQL types (interfaces and their implementations). The core of the issue is that when checking for authorization directives (@authenticated, @policy, @requiresScopes), the router would only check if all implementations of an interface had the same authorization requirements. If an interface had no authorization directives, but all of its implementing types had the exact same directive (e.g., all had @authenticated), the router would incorrectly determine that no authorization check was needed when the interface was queried directly. This allowed an attacker to bypass the authorization intended for the implementing types by crafting a query that accessed the data through the unprotected interface.

The patch addresses this by changing the logic. Instead of checking if the implementations have different requirements, the patched code checks if any of the implementations have authorization requirements that are not satisfied by the current request context. This is done by renaming functions like implementors_with_different_requirements to implementors_with_authenticated_requirements or implementors_with_missing_requirements and completely changing their internal logic to properly enforce the directives on the implementing types, even when queried via the interface.

The vulnerable functions are the enter_field methods within the AuthenticatedVisitor, PolicyFilteringVisitor, and ScopeFilteringVisitor structs, which are part of the query traversal process. These functions relied on the flawed helper functions (e.g., implementors_with_different_requirements) to make authorization decisions, leading to the access control bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64173: Apollo Router Affected by an Access Control Bypass on Polymorphic Types

Summary

Details

Who is impacted

Scope of Impact

Patches

Workarounds

CVE-2025-64173:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-64173: Apollo Router Affected by an Access Control Bypass on Polymorphic Types

Summary

Details

Who is impacted

Scope of Impact

Patches

Workarounds

7.5

7.5

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI