CVE-2025-64347
Apollo Router Improperly Enforces Renamed Access Control Directives
Description
# Summary A vulnerability in Apollo Router allowed for unauthorized access to protected data through schema elements with access control directives (`@authenticated`, `@requiresScopes`, and `@policy`) that were renamed via `@link` imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. ## Details Apollo Federation allows users to specify access control directives (`@authenticated`, `@requiresScopes`, and `@policy`](https://www.apollographql.com/docs/graphos/routing/security/authorization#authorization-directives)) to protect schema data access at the element level. These directives can optionally be renamed via the [`imports` argument to the `@link` directive](https://www.apollographql.com/docs/graphos/schema-design/federated-schemas/reference/directives#renaming-directives), which can be useful if their default names match an existing user-defined directive in their subgraph schema. However, Apollo Router's access control logic ignored the `imports` argument, and would accordingly ignore access control directives that were renamed in this way. ## Who Is Impacted This vulnerability impacts Apollo Router customers defining `@authenticated`, `@requiresScopes`, or `@policy` directives on schema elements that were renamed via `@link` imports are impacted. ### Scope of Impact The vulnerability could allow a malicious actor to craft a query that can bypass access control requirements on schema elements protected by renamed access control directives. ## Patches This vulnerability has been fixed in Apollo Router by updating the access control logic to handle the `imports` argument in `@link` directives. You will need to update Router to one of the following versions: - 1.61.12+ - 2.8.1+ ## Workarounds - If you are not immediately updating Router to a patched version, you should remove any renames of access control directives in the `imports` argument to the `@link` directive. - Customers not using Apollo Router with renamed access control directives (`@authenticated`, `@requiresScopes`, and `@policy`) are not affected and do not need to take action.
How to fix CVE-2025-64347
To remediate CVE-2025-64347, upgrade the affected package to a fixed version below.
- —upgrade to 1.61.12 or later