Key Information Vulnerability Description: - Apollo Router contains a vulnerability that allows unauthenticated queries to access data requiring additional access controls. - The router incorrectly handles access control directives on interface types/fields and their implementing object types/fields. Affected Scope: - Affected Versions: - apollo-router (Rust) < 1.61.12, < 2.8.1 - apollographql/helm-charts/router < 1.61.12, < 2.8.1 - apollographql/router (GitHub Packages Container Registry) < 1.61.12, < 2.8.1 - apollographql/router (GitHub Releases) < 1.61.12, < 2.8.1 - Fixed Versions: - 1.61.12+ - 2.8.1+ Vulnerability Severity: - Score: High (7.5/10) - CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Required Privileges: None - User Interaction: None - Scope: Unchanged - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None CVE ID: - CVE-2025-64173 Weakness Type: - CWE-288 Remediation: - Upgrade to a fixed version (1.61.12+, 2.8.1+). - If immediate upgrade is not possible, ensure that any existing access control requirements are applied consistently to both the appropriate interface types/fields and their implementations. Impacted Customers: - Apollo Router customers who define , , or directives inconsistently on polymorphic types. Mitigation Developer: - dariuszkuc