CVE-2025-32033 (GCVE-0-2025-32033)
Vulnerability from cvelistv5 – Published: 2025-04-07 20:48 – Updated: 2025-04-08 13:31
VLAI?
Summary
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query's height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.
Severity ?
7.5 (High)
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Affected:
< 1.61.2
Affected: >= 2.0.0-alpha.0, < 2.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T13:31:30.359125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T13:31:44.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003c 1.61.2"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.0, \u003c 2.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query\u0027s height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments. This has been remediated in apollo-router versions 1.61.2 and 2.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T20:48:19.504Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-84m6-5m72-45fp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-84m6-5m72-45fp"
},
{
"name": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564"
},
{
"name": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952"
}
],
"source": {
"advisory": "GHSA-84m6-5m72-45fp",
"discovery": "UNKNOWN"
},
"title": "Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32033",
"datePublished": "2025-04-07T20:48:19.504Z",
"dateReserved": "2025-04-01T21:57:32.958Z",
"dateUpdated": "2025-04-08T13:31:44.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-32033\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-04-07T21:15:43.527\",\"lastModified\":\"2025-04-08T18:13:53.347\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query\u0027s height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.\"},{\"lang\":\"es\",\"value\":\"Apollo Router Core es un enrutador de gr\u00e1ficos configurable y de alto rendimiento, escrito en Rust, para ejecutar un supergrafo federado que utiliza Apollo Federation 2. Antes de las versiones 1.61.2 y 2.1.1, el complemento de los l\u00edmites de operaci\u00f3n utilizaba enteros de 32 bits sin signo para controlar los contadores de los l\u00edmites (por ejemplo, la altura de una consulta). Si un contador superaba el valor m\u00e1ximo para este tipo de dato (4\u0026#xa0;294\u0026#xa0;967\u0026#xa0;295), se reiniciaba a 0, lo que permit\u00eda involuntariamente que las consultas superaran los umbrales configurados. Esto pod\u00eda ocurrir en consultas grandes si el l\u00edmite de payload se aumentaba lo suficiente, pero tambi\u00e9n en consultas peque\u00f1as con fragmentos con nombre profundamente anidados y reutilizados. Esto se ha solucionado en las versiones 1.61.2 y 2.1.1 de apollo-router.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"references\":[{\"url\":\"https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/apollographql/router/security/advisories/GHSA-84m6-5m72-45fp\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-32033\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-08T13:31:30.359125Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-08T13:31:36.839Z\"}}], \"cna\": {\"title\": \"Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow\", \"source\": {\"advisory\": \"GHSA-84m6-5m72-45fp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"apollographql\", \"product\": \"router\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.61.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0.0-alpha.0, \u003c 2.1.1\"}]}], \"references\": [{\"url\": \"https://github.com/apollographql/router/security/advisories/GHSA-84m6-5m72-45fp\", \"name\": \"https://github.com/apollographql/router/security/advisories/GHSA-84m6-5m72-45fp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564\", \"name\": \"https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952\", \"name\": \"https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query\u0027s height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-119\", \"description\": \"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-07T20:48:19.504Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-32033\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-08T13:31:44.219Z\", \"dateReserved\": \"2025-04-01T21:57:32.958Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-04-07T20:48:19.504Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…