CVE-2025-64173: Apollo Router Affected by an Access Control Bypass on Polymorphic Types

November 6, 2025

A vulnerability in Apollo Router allowed for unauthenticated queries to access data that required additional access controls. Router incorrectly handled access control directives on interface types/fields and their implementing object types/fields, applying them to interface types/fields while ignoring directives on their implementing object types/fields when all implementations had the same requirements.

References

github.com/advisories/GHSA-x33c-7c2v-mrj9
github.com/apollographql/router
github.com/apollographql/router/commit/75ca43ecb9d38423b63d09896702f9da425cc754
github.com/apollographql/router/security/advisories/GHSA-x33c-7c2v-mrj9
nvd.nist.gov/vuln/detail/CVE-2025-64173

Code Behaviors & Features

Detect and mitigate CVE-2025-64173 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →