CVE-2025-64347 is an improper access control vulnerability (CWE-284) found in Apollo Router Core, a Rust-based router designed to manage federated supergraphs using Apollo Federation 2. The vulnerability arises from the router's failure to enforce access control directives on schema elements that have been renamed via the GraphQL @link import feature. Specifically, directives such as @authenticated, @requiresScopes, and @policy, which are intended to restrict access to certain fields or types, can be renamed in imported schemas. The router did not correctly apply these renamed directives, allowing queries to bypass element-level access controls. This means that unauthorized users can query protected data without authentication or proper authorization. The affected versions include all releases prior to 1.61.12 and versions from 2.8.1-rc.0 up to but not including 2.8.1. The issue was addressed in versions 1.61.12 and 2.8.1. The CVSS v3.1 score is 7.5 (high), reflecting the vulnerability's network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. No known exploits are currently reported in the wild. The vulnerability is critical for organizations relying on Apollo Router for enforcing fine-grained access control in their GraphQL federated services, as it undermines the integrity of access policies and exposes sensitive data.

For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure, especially for those leveraging Apollo Router in their GraphQL federated architectures. Sensitive business, customer, or operational data protected by access control directives could be exposed to unauthorized parties, potentially leading to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and financial penalties. Since the vulnerability allows remote exploitation without authentication or user interaction, attackers can easily exploit it over the network, increasing the threat surface. Organizations in sectors such as finance, healthcare, telecommunications, and government, which often use GraphQL APIs for complex data aggregation, are particularly vulnerable. The failure to enforce renamed access control directives could also undermine trust in API security and complicate incident response efforts.

The primary mitigation is to upgrade Apollo Router to versions 1.61.12 or later, or 2.8.1 or later, where the vulnerability is fixed. Organizations should audit their GraphQL schemas to identify any use of @link imports that rename access control directives and verify that access policies are correctly applied. Implement strict schema validation and testing to detect any bypasses of access control rules. Employ runtime monitoring and anomaly detection on GraphQL queries to identify unusual access patterns that may indicate exploitation attempts. Limit network exposure of Apollo Router instances by restricting access to trusted networks or via VPNs. Additionally, enforce strong authentication and authorization at other layers to provide defense-in-depth. Maintain up-to-date inventories of Apollo Router deployments and ensure patch management processes prioritize this vulnerability due to its high severity and ease of exploitation.