CVE-2025-64173 is an authentication bypass vulnerability classified under CWE-288 that affects Apollo Router Core, a configurable graph router written in Rust for federated supergraphs using Apollo Federation 2. The vulnerability exists in versions prior to 1.61.12 and from 2.0.0-alpha.0 through 2.8.1-rc.0, where the router incorrectly applies access control directives such as @authenticated, @requiresScopes, or @policy on polymorphic GraphQL types. Specifically, when access control directives are inconsistently defined between interface types/fields and their implementing object types/fields, the router enforces the directives only on the interface types/fields and ignores those on the implementing object types/fields. This misapplication allows unauthenticated queries to bypass intended access controls and retrieve sensitive data that should be protected. The vulnerability does not require any privileges or user interaction to exploit, making it remotely exploitable over the network. The flaw impacts confidentiality but not integrity or availability. The issue is resolved in Apollo Router versions 1.61.12 and 2.8.1. No public exploits have been reported to date, but the vulnerability presents a significant risk for organizations relying on Apollo Router for GraphQL federation with complex polymorphic schemas and access control policies.

For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure, particularly for those using Apollo Router in environments handling sensitive or regulated data such as personal information, financial records, or intellectual property. The bypass of authentication controls can lead to breaches of GDPR and other data protection regulations, resulting in legal penalties and reputational damage. Organizations in sectors like finance, healthcare, telecommunications, and government are especially vulnerable due to the critical nature of their data and services. Since the vulnerability allows unauthenticated remote access to protected data, attackers could exploit it to gather intelligence, conduct espionage, or facilitate further attacks. The lack of impact on integrity and availability reduces the risk of data tampering or service disruption but does not diminish the severity of confidentiality breaches. The absence of known exploits provides a window for proactive mitigation, but the ease of exploitation and high confidentiality impact make timely patching imperative.

European organizations should immediately upgrade Apollo Router to version 1.61.12 or later, or 2.8.1 or later, to remediate this vulnerability. Additionally, they should conduct a thorough audit of their GraphQL schemas to ensure consistent application of access control directives (@authenticated, @requiresScopes, @policy) across interface types and their implementing object types. Implement automated schema validation tools to detect inconsistencies in access control directives. Employ runtime monitoring and logging of GraphQL queries to detect anomalous access patterns indicative of exploitation attempts. Restrict network access to Apollo Router instances using network segmentation and firewall rules to limit exposure. Consider implementing additional application-layer access controls or API gateways that enforce authorization independently of Apollo Router. Finally, maintain an incident response plan tailored to data breach scenarios involving GraphQL APIs.