GHSA-MX7M-J9XF-62HW

Vulnerability from github – Published: 2025-11-14 17:46 – Updated: 2025-11-14 17:46
VLAI?
Summary
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
Details

Summary

A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead querying the implementing object types/fields in Apollo Router via inline or named fragments. A fix to composition logic in Federation now disallows interfaces types and fields to contain user-defined access control directives.

Details

Apollo Federation allows users to specify access control directives (@authenticated, @requiresScopes, and @policy) to protect object and interface types and fields. However, the GraphQL specification does not define inheritance rules for directives from interfaces to their implementations. When querying object or interface types/fields, Apollo Router will enforce any directives on those object or interface types/fields, but ignore any directives on interface types/fields they implement. This inconsistent enforcement behavior leads to unexpected runtime security gaps.

Who is impacted

This vulnerability impacts Apollo Federation customers defining @authenticated, @requiresScopes, or @policy directives on interface types/fields.

Scope of Impact

This vulnerability could allow a malicious actor to craft a query that can bypass access control requirements on the interface types/fields by instead querying them via implementing object types/fields that don't have the same access control requirements via inline or named fragments.

Patches

This vulnerability has been fixed in Apollo Federation's composition logic by rejecting user-defined access control directives entirely on interface types and fields (note that access control directives on @interfaceObject fields are not rejected, as those are really specifying requirements on the virtual object fields). Instead, Apollo Federation's composition logic will automatically generate access control directives for interface types/fields in the supergraph schema based on the access control directives on the implementations in subgraph schemas.

Note that this is a breaking change to Apollo Federation, as it no longer allows user-defined access control directives directly on interfaces types and fields. You will need to remove all access control requirements on interface types/fields and manually apply them to each implementing object type/field, where appropriate.

If users are using the Apollo Studio build pipeline with federation version 2.9 or above, then this composition patch version update is automatic and they only need to adjust the access control requirements in your subgraph schemas as mentioned above.

If users are using Apollo Rover for local composition, they will need to update its composition version (after updating Apollo Router, if necessary) to one of the following versions:

  • 2.9.5+
  • 2.10.4+
  • 2.11.5+
  • 2.12.1+

Users will then need adjust the access control requirements in your subgraph schemas as mentioned above.

Workarounds

  • If using Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below, users should manually copy the access control requirements on interface types/fields to each implementing object type/field where appropriate. Do not remove those access control requirements from the interface types/fields, as unpatched Apollo Composition will not automatically generate them in the supergraph schema.
  • Customers not using Apollo Router access control features (@authenticated, @requiresScopes, or @policy directives) or not specifying access control requirements on interface types/fields are not affected and do not need to take action.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@apollo/composition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@apollo/composition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0-alpha.3"
            },
            {
              "fixed": "2.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@apollo/composition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.0-preview.1"
            },
            {
              "fixed": "2.11.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@apollo/composition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.0-preview.1"
            },
            {
              "fixed": "2.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T17:46:55Z",
    "nvd_published_at": "2025-11-13T23:15:49Z",
    "severity": "HIGH"
  },
  "details": "# Summary\nA vulnerability in Apollo Federation\u0027s composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead querying the implementing object types/fields in Apollo Router via inline or named fragments. A fix to composition logic in Federation now disallows interfaces types and fields to contain user-defined access control directives.\n\n## Details\nApollo Federation allows users to specify access control directives ([`@authenticated`, `@requiresScopes`, and `@policy`](https://www.apollographql.com/docs/graphos/routing/security/authorization#authorization-directives)) to protect object and interface types and fields. However, the GraphQL specification does not define inheritance rules for directives from interfaces to their implementations. When querying object or interface types/fields, Apollo Router will enforce any directives on those object or interface types/fields, but ignore any directives on interface types/fields they implement. This inconsistent enforcement behavior leads to unexpected runtime security gaps.\n\n## Who is impacted\nThis vulnerability impacts Apollo Federation customers defining `@authenticated`, `@requiresScopes`, or `@policy` directives on interface types/fields.\n\n### Scope of Impact\nThis vulnerability could allow a malicious actor to craft a query that can bypass access control requirements on the interface types/fields by instead querying them via implementing object types/fields that don\u0027t have the same access control requirements via inline or named fragments.\n\n## Patches\nThis vulnerability has been fixed in Apollo Federation\u0027s composition logic by rejecting user-defined access control directives entirely on interface types and fields (note that access control directives on `@interfaceObject` fields are not rejected, as those are really specifying requirements on the virtual object fields). Instead, Apollo Federation\u0027s composition logic will automatically generate access control directives for interface types/fields in the supergraph schema based on the access control directives on the implementations in subgraph schemas. \n\n_Note that this is a breaking change to Apollo Federation, as it no longer allows user-defined access control directives directly on interfaces types and fields. You will need to remove all access control requirements on interface types/fields and manually apply them to each implementing object type/field, where appropriate._\n\nIf users are using the Apollo Studio build pipeline with federation version 2.9 or above, then this composition patch version update is automatic and they only need to adjust the access control requirements in your subgraph schemas as mentioned above.\n\nIf users are using Apollo Rover for local composition, they will need to update its composition version (after updating Apollo Router, [if necessary](https://www.apollographql.com/docs/graphos/platform/graph-management/updates#recommended-update-order)) to one of the following versions:\n\n- 2.9.5+\n- 2.10.4+\n- 2.11.5+\n- 2.12.1+\n\nUsers will then need adjust the access control requirements in your subgraph schemas as mentioned above.\n\n## Workarounds\n- If using Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below, users should manually copy the access control requirements on interface types/fields to each implementing object type/field where appropriate. _Do not_ remove those access control requirements from the interface types/fields, as unpatched Apollo Composition will not automatically generate them in the supergraph schema.\n- Customers not using Apollo Router access control features (`@authenticated`, `@requiresScopes`, or `@policy` directives) or not specifying access control requirements on interface types/fields are not affected and do not need to take action.",
  "id": "GHSA-mx7m-j9xf-62hw",
  "modified": "2025-11-14T17:46:55Z",
  "published": "2025-11-14T17:46:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/federation/security/advisories/GHSA-mx7m-j9xf-62hw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64530"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/federation/pull/3340"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/federation/pull/3341"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/federation/pull/3343"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apollographql/federation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.