Key Information Summary Vulnerability Overview Vulnerability Name: Improper Enforcement of Access Control on Interface Types and Fields Reported Time: 16 hours ago Severity: High (7.5/10) Affected Scope Affected Package: @apollo/composition (npm package) Affected Versions: <2.9.5, <2.10.4, <2.11.5, <2.12.1 Fixed Versions: 2.9.5, 2.10.4, 2.11.5, 2.12.1 Vulnerability Details CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Required Privileges: None - User Interaction: None - Scope: Unchanged - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None CVE ID: CVE-2025-64530 Weakness Type: CWE-288 Affected Users and Scope Primarily affects users of Apollo Federation who define , , or directives on interface types or fields. The vulnerability may allow malicious users to bypass access control requirements on interface types or fields by querying through different object types or fields. Remediation Fixed versions have updated Apollo Federation’s composition logic to reject user-defined access control directives on interface types and fields. If necessary, manually adjust access control requirements in subgraph schemas. Workarounds For users still using unfixed composition versions, it is recommended to manually copy access control requirements from interface types or fields to corresponding implementing object types or fields. Customers not using Apollo Router’s access control features, and who have not specified access control requirements on interface types or fields, are unaffected and require no action.