7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-m8jr-fxqx-8xx6

EPSS Score

CWE

CWE-863

Published

11/14/2025

Updated

11/14/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-m8jr-fxqx-8xx6

GHSA-m8jr-fxqx-8xx6: Apollo Federation has Improper Enforcement of Access Control on Transitive Fields

Summary

A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields indirectly through their dependencies, bypassing access control checks. A fix to composition logic in Federation now enforces that dependent fields match the access control requirements from of the fields they reference.

Details

Apollo Federation allows users to specify @authenticated, @requiresScopes, and @policy directives to protect fields at the field level. The @requires directive allows a field to depend on data from other fields in the schema, and @fromContext allows a field to use values from the execution context. However, Apollo Router does not enforce access control requirements on these transitively-accessed fields, and Apollo Federation did not require that fields using @requires or @fromContext have the same access control as the fields they depend on.

At execution time, when a field decorated with @requires or @fromContext was resolved, the Router would fetch the required dependency fields from subgraphs without checking whether those fields had their own access control requirements. Access control directives applied to these dependency fields were only enforced when those fields appeared explicitly in the query. If the protected fields were accessed solely as transitive dependencies (in other words, fetched to satisfy @requires or @fromContext but not directly requested) their access control requirements were silently ignored.

This discrepancy between where access controls could be defined (on any field) and where it was enforced (only on explicitly queried fields) leads to unexpected runtime security gaps.

Who is impacted

This vulnerability impacts Apollo Federation customers with supergraphs defining @authenticated, @requiresScopes, or @policy directives on fields that are also specified as dependencies in @requires or @fromContext directives.

Scope of Impact

The vulnerability could allow a malicious actor to craft a query that indirectly accesses protected fields, allowing them to bypass field-level access control. By querying only fields that depend on protected data (via @requires or @fromContext) without explicitly requesting the protected fields themselves, an attacker could retrieve sensitive information without meeting the access control requirements.

Patches

This vulnerability has been fixed in Apollo Federation by updating composition logic to validate that access control requirements on @requires and @fromContext dependency fields match the resolving field's requirements.

Note that this is a breaking change to Apollo Federation, as it no longer allows fields using @requires or @fromContext to have different access control directives from the fields they depend on. You will need to update your subgraphs to ensure that the access control requirements on fields using @requires or @fromContext match the access control directives on the referenced fields.

If you are using the Apollo Studio build pipeline with Federation version 2.9 or above, then this patch version update is automatic and you only need to adjust the access control requirements in your subgraph schemas as mentioned above.

If you are using Apollo Rover for local composition, you will need to update its composition version (after updating Apollo Router, if necessary) to one of the following versions:

2.9.5+
2.10.4+
2.11.5+
2.12.1+

You will then need to adjust the access control requirements in your subgraph schemas as mentioned above.

Workarounds

If you are using Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below, you should review your schema for any sensitive fields that are accessed via @requires or @fromContext and explicitly apply matching access control directives on those transitive fields. Alternatively, consider restructuring your schema so that protected fields are queried directly.

Customers not using Apollo Router access control features (@authenticated, @requiresScopes, or @policy directives) or not using @requires or @fromContext directives in combination with field-level access control are not affected and do not need to take action.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-m8jr-fxqx-8xx6

GHSA-m8jr-fxqx-8xx6:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-m8jr-fxqx-8xx6

EPSS Score

CWE

CWE-863

Published

11/14/2025

Updated

11/14/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@apollo/composition	npm	< 2.9.5	2.9.5
@apollo/composition	npm	>= 2.10.0-alpha.3, < 2.10.4	2.10.4
@apollo/composition	npm	>= 2.11.0-preview.1, < 2.11.5	2.11.5
@apollo/composition	npm	>= 2.12.0-preview.0, < 2.12.1	2.12.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability in Apollo Federation allowed for bypassing access control on GraphQL fields. This was due to a flaw in the composition logic, which is responsible for combining multiple subgraph schemas into a single supergraph schema. Specifically, when a field used the @requires or @fromContext directives to depend on another field that was protected by authorization directives (@authenticated, @requiresScopes, or @policy), the composition logic did not enforce that the dependent field carried the same authorization requirements.

The analysis of the patches shows that the fix involved a significant refactoring of how authorization directives are handled during composition. The key changes were made in the Merger and AuthValidator classes within composition-js/src/merging/merge.ts.

The function Merger.propagateAuthToInterfaces was part of the old, vulnerable logic and was completely removed, indicating it was a source of the problem. This function was responsible for propagating authorization requirements, but it failed to do so for transitive dependencies.

The functions AuthValidator.validateRequiresFieldSet and AuthValidator.validateFromContext are responsible for validating the authorization rules on fields with @requires and @fromContext directives, respectively. While the changes in the patch to these functions are minor, they are part of the overall fix. The main fix is in the data that these functions receive from the Merger class, which now correctly accounts for transitive dependencies thanks to the new accessControlAdditionalSources function. The vulnerability was that these validation functions were not being provided with the necessary information to detect the missing authorization on dependent fields.

Therefore, the identified functions were all part of the flawed composition and validation process that allowed the creation of a vulnerable supergraph schema. An attacker could exploit this by crafting a query that accessed protected data indirectly, bypassing the intended access control.

Vulnerable functions

Merger.propagateAuthToInterfaces

composition-js/src/merging/merge.ts

This function was responsible for propagating authorization requirements to interfaces. It was removed in the patch, indicating that its logic was flawed and incomplete. It did not correctly handle transitive dependencies, allowing fields to bypass access control checks when they depended on protected fields via `@requires` or `@fromContext`.

AuthValidator.validateRequiresFieldSet

composition-js/src/merging/merge.ts

This function validates fields that use the `@requires` directive. Before the patch, it did not properly check for authorization requirements on transitively accessed fields. This allowed a field to access protected data without having the necessary authorization directives, as long as the access was indirect. The patch, in conjunction with changes in the `Merger` class, makes this validation stricter.

AuthValidator.validateFromContext

composition-js/src/merging/merge.ts

Similar to `validateRequiresFieldSet`, this function validates fields using the `@fromContext` directive. The vulnerability existed here as well, where the function failed to enforce that the field has the same access control requirements as the transitively referenced fields from the context. The patch enhances the validation logic to close this security gap.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-m8jr-fxqx-8xx6: Apollo Federation has Improper Enforcement of Access Control on Transitive Fields

Summary

Details

Who is impacted

Scope of Impact

Patches

Workarounds

GHSA-m8jr-fxqx-8xx6:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-m8jr-fxqx-8xx6: Apollo Federation has Improper Enforcement of Access Control on Transitive Fields

Summary

Details

Who is impacted

Scope of Impact

Patches

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI