CVE-2025-64347— Apollo Router Improperly Enforces Renamed Access Control Directives

Apollo Router Improperly Enforces Renamed Access Control Directives

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

访问控制不恰当

Apollo Router Core 访问控制错误漏洞

Apollo Router Core是Apollo社区的一个路由器核心应用程序。 Apollo Router Core 1.61.12-rc.0及之前版本和2.8.1-rc.0版本存在访问控制错误漏洞，该漏洞源于未强制执行重命名的访问控制指令，可能导致绕过元素级访问控制。

N/A

N/A