Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| apollographql | router | affected |
|
No data.
No data.
| Vendor | Product | Confidence | Versions |
|---|---|---|---|
| Apollographql | Apollo-router | — | — |
Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
 Github GHSA |
GHSA-g8jh-vg5j-4h3f | Apollo Router Improperly Enforces Renamed Access Control Directives |
Mon, 10 Nov 2025 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Apollographql
Apollographql apollo-router |
|
| Vendors & Products |
Apollographql
Apollographql apollo-router |
Fri, 07 Nov 2025 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 07 Nov 2025 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1. | |
| Title | Apollo Router Improperly Enforces Renamed Access Control Directives | |
| Weaknesses | CWE-284 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-11-07T18:25:59.775Z
Reserved: 2025-10-30T17:40:52.031Z
Link: CVE-2025-64347
Vulnrichment
Updated: 2025-11-07T18:24:56.232Z
NVD
Status : Deferred
Published: 2025-11-07T18:15:37.313
Modified: 2026-04-15T00:35:42.020
Link: CVE-2025-64347
Redhat
No data.
OpenCVE Enrichment
Updated: 2025-11-10T09:33:53Z