Key Information Vulnerability Overview Vulnerability Name: Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass CVE ID: CVE-2025-32032 CVSS Score: 7.5/10 (High) Release Date: Yesterday Affected Scope Affected Versions: - (Rust): =2.0.0-alpha.0 =2.0.0-alpha.0 =2.0.0-alpha.0 =2.0.0-alpha.0 <2.1.1 Fixed Versions: - : 1.61.2, 2.1.1 Vulnerability Description Impact: Due to frequent bypassing of internal optimizations, query plans become excessively costly, potentially leading to resource exhaustion and denial of service. Details: The query planner’s optimization mechanism fails when handling deeply nested and repetitive fragment selections, resulting in prolonged planning times. Without a timeout mechanism, a small number of such queries can exhaust the router’s thread pool. Remediation and Mitigation Remediation: A new metric has been introduced to cap the number of selections that cannot be skipped, preventing excessive computation. Patch: Fixed in versions 1.61.2 and 2.1.1. Temporary Workaround: Use “Safelisting” or “Safelisting” with only IDs. References Query Planning Documentation Acknowledgments Thank you to the security community for their efforts in identifying and improving the performance and security of the query planning mechanism.