Home > Vulnerability Database > CVE-2025-64347

Mend.io Vulnerability Database

CVE-2025-64347

Good to know:

Date: November 7, 2025

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1.

Severity Score

7.5

Related Resources (5)

Url: https://github.com/apollographql/router

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64347

Url: https://github.com/apollographql/router/security/advisories/GHSA-g8jh-vg5j-4h3f

Url: https://github.com/apollographql/router/commit/78e4b20a2fc26cc5f141aa47992ed85375266a2b

Url: https://www.mend.io/vulnerability-database/CVE-2025-64347

Severity Score

7.5

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version apollo-router - 2.8.1;apollo-router - 1.61.12;https://github.com/apollographql/router.git - v2.8.1;https://github.com/apollographql/router.git - v1.61.12

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64347

Good to know:

Date: November 7, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?