CVE-2025-64530

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-64530
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64530.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-64530
Aliases
Published
2025-11-13T23:02:45.740Z
Modified
2026-04-10T05:33:49.502205Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
Details

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. A vulnerability in versions of Apollo Federation's composition logic prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead querying the implementing object types/fields in Apollo Router via inline fragments, for example. A fix to versions 2.9.5, 2.10.4, 2.11.5, and 2.12.1 of composition logic in Federation now disallows interfaces types and fields to contain user-defined access control directives. Some workarounds are available. Users of Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below should manually copy the access control requirements on interface types/fields to each implementing object type/field where appropriate. Do not remove those access control requirements from the interface types/fields, as unpatched Apollo Composition will not automatically generate them in the supergraph schema. Customers not using Apollo Router access control features (@authenticated, @requiresScopes, or @policy directives) or not specifying access control requirements on interface types/fields are not affected and do not need to take action.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64530.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-288"
    ]
}
References

Affected packages

Git / github.com/apollographql/federation

Affected ranges

Type
GIT
Repo
https://github.com/apollographql/federation
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f256ae5547eced4c7c6e12d967fbc4dacac14c80
Fixed
22ce53fb6dcc9f04d39d39e0e7d122091b972457
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.9.5"
        },
        {
            "introduced": "2.10.0-preview.0"
        },
        {
            "fixed": "2.10.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/apollographql/federation
Events
Introduced
41bdeb73284a5527119f27e5e85e4cfdd6de7ef5
Fixed
8415b92f7f346d951088007d24aac14cf76d5c55
Database specific 
{
    "versions": [
        {
            "introduced": "2.11.0-preview.0"
        },
        {
            "fixed": "2.11.5"
        }
    ]
}

Affected versions

2.*
2.2.0-rc.0
@apollo/composition@2.*
@apollo/composition@2.0.0-alpha.0
@apollo/composition@2.0.0-alpha.1
@apollo/composition@2.0.0-alpha.6
@apollo/composition@2.10.0
@apollo/composition@2.10.1
@apollo/composition@2.10.2
@apollo/composition@2.10.3
@apollo/composition@2.4.0
@apollo/composition@2.4.0-alpha.0
@apollo/composition@2.4.0-alpha.1
@apollo/composition@2.5.0
@apollo/composition@2.5.1
@apollo/composition@2.5.2
@apollo/composition@2.5.3
@apollo/composition@2.5.4
@apollo/composition@2.5.5
@apollo/composition@2.5.6
@apollo/composition@2.5.7
@apollo/composition@2.6.1
@apollo/composition@2.6.2
@apollo/composition@2.7.0
@apollo/composition@2.7.1
@apollo/composition@2.7.2
@apollo/composition@2.7.3
@apollo/composition@2.7.4
@apollo/composition@2.7.5
@apollo/composition@2.7.6
@apollo/composition@2.7.7
@apollo/composition@2.8.0
@apollo/composition@2.8.0-alpha.0
@apollo/composition@2.8.0-alpha.1
@apollo/composition@2.8.1
@apollo/composition@2.8.2
@apollo/composition@2.8.3
@apollo/composition@2.8.4
@apollo/composition@2.8.5
@apollo/composition@2.9.0
@apollo/composition@2.9.1
@apollo/composition@2.9.2
@apollo/composition@2.9.3
@apollo/composition@2.9.4
@apollo/federation-internals@2.*
@apollo/federation-internals@2.0.0-alpha.0
@apollo/federation-internals@2.0.0-alpha.1
@apollo/federation-internals@2.0.0-alpha.6
@apollo/federation-internals@2.10.0
@apollo/federation-internals@2.10.1
@apollo/federation-internals@2.10.2
@apollo/federation-internals@2.10.3
@apollo/federation-internals@2.4.0
@apollo/federation-internals@2.4.0-alpha.0
@apollo/federation-internals@2.4.0-alpha.1
@apollo/federation-internals@2.5.0
@apollo/federation-internals@2.5.1
@apollo/federation-internals@2.5.2
@apollo/federation-internals@2.5.3
@apollo/federation-internals@2.5.4
@apollo/federation-internals@2.5.5
@apollo/federation-internals@2.5.6
@apollo/federation-internals@2.5.7
@apollo/federation-internals@2.6.1
@apollo/federation-internals@2.6.2
@apollo/federation-internals@2.7.0
@apollo/federation-internals@2.7.1
@apollo/federation-internals@2.7.2
@apollo/federation-internals@2.7.3
@apollo/federation-internals@2.7.4
@apollo/federation-internals@2.7.5
@apollo/federation-internals@2.7.6
@apollo/federation-internals@2.7.7
@apollo/federation-internals@2.8.0
@apollo/federation-internals@2.8.0-alpha.0
@apollo/federation-internals@2.8.0-alpha.1
@apollo/federation-internals@2.8.1
@apollo/federation-internals@2.8.2
@apollo/federation-internals@2.8.3
@apollo/federation-internals@2.8.4
@apollo/federation-internals@2.8.5
@apollo/federation-internals@2.9.0
@apollo/federation-internals@2.9.1
@apollo/federation-internals@2.9.2
@apollo/federation-internals@2.9.3
@apollo/federation-internals@2.9.4
@apollo/federation@0.*
@apollo/federation@0.20.1
@apollo/federation@0.20.2
@apollo/federation@0.20.3
@apollo/federation@0.20.4
@apollo/federation@0.20.5
@apollo/federation@0.20.6
@apollo/federation@0.20.7
@apollo/federation@0.21.0
@apollo/federation@0.21.1
@apollo/federation@0.21.2
@apollo/federation@0.22.0
@apollo/federation@0.23.1
@apollo/federation@0.23.2
@apollo/federation@0.24.0
@apollo/federation@0.25.0
@apollo/federation@0.25.1
@apollo/federation@0.25.2
@apollo/federation@0.27.1
@apollo/federation@0.28.0
@apollo/federation@0.30.0
@apollo/federation@0.33.4
@apollo/federation@2.*
@apollo/federation@2.0.0-alpha.0
@apollo/federation@2.0.0-alpha.1
@apollo/gateway@0.*
@apollo/gateway@0.20.1
@apollo/gateway@0.20.2
@apollo/gateway@0.20.3
@apollo/gateway@0.20.4
@apollo/gateway@0.21.0
@apollo/gateway@0.21.1
@apollo/gateway@0.21.2
@apollo/gateway@0.21.3
@apollo/gateway@0.21.4
@apollo/gateway@0.22.0
@apollo/gateway@0.23.1
@apollo/gateway@0.23.2
@apollo/gateway@0.24.0
@apollo/gateway@0.24.1
@apollo/gateway@0.24.2
@apollo/gateway@0.24.3
@apollo/gateway@0.24.4
@apollo/gateway@0.25.1
@apollo/gateway@0.26.1
@apollo/gateway@0.26.2
@apollo/gateway@0.26.3
@apollo/gateway@0.27.0
@apollo/gateway@0.27.1
@apollo/gateway@0.28.0
@apollo/gateway@0.28.1
@apollo/gateway@0.28.2
@apollo/gateway@0.28.3
@apollo/gateway@0.29.0
@apollo/gateway@0.29.1
@apollo/gateway@0.30.0
@apollo/gateway@0.31.1
@apollo/gateway@0.32.0
@apollo/gateway@0.35.1
@apollo/gateway@0.36.0
@apollo/gateway@0.39.0
@apollo/gateway@0.42.4
@apollo/gateway@2.*
@apollo/gateway@2.0.0-alpha.0
@apollo/gateway@2.0.0-alpha.1
@apollo/gateway@2.0.0-alpha.6
@apollo/gateway@2.10.0
@apollo/gateway@2.10.1
@apollo/gateway@2.10.2
@apollo/gateway@2.10.3
@apollo/gateway@2.4.0
@apollo/gateway@2.4.0-alpha.0
@apollo/gateway@2.4.0-alpha.1
@apollo/gateway@2.5.0
@apollo/gateway@2.5.1
@apollo/gateway@2.5.2
@apollo/gateway@2.5.3
@apollo/gateway@2.5.4
@apollo/gateway@2.5.5
@apollo/gateway@2.5.6
@apollo/gateway@2.5.7
@apollo/gateway@2.6.1
@apollo/gateway@2.6.2
@apollo/gateway@2.7.0
@apollo/gateway@2.7.1
@apollo/gateway@2.7.2
@apollo/gateway@2.7.3
@apollo/gateway@2.7.4
@apollo/gateway@2.7.5
@apollo/gateway@2.7.6
@apollo/gateway@2.7.7
@apollo/gateway@2.8.0
@apollo/gateway@2.8.0-alpha.0
@apollo/gateway@2.8.0-alpha.1
@apollo/gateway@2.8.1
@apollo/gateway@2.8.2
@apollo/gateway@2.8.3
@apollo/gateway@2.8.4
@apollo/gateway@2.8.5
@apollo/gateway@2.9.0
@apollo/gateway@2.9.1
@apollo/gateway@2.9.2
@apollo/gateway@2.9.3
@apollo/gateway@2.9.4
@apollo/harmonizer@0.*
@apollo/harmonizer@0.1.2
@apollo/harmonizer@0.1.4
@apollo/harmonizer@0.1.5
@apollo/harmonizer@0.2.0
@apollo/harmonizer@0.2.4
@apollo/harmonizer@0.2.5
@apollo/harmonizer@0.28.1
@apollo/harmonizer@0.3.2
@apollo/harmonizer@0.3.3
@apollo/harmonizer@0.30.0
@apollo/harmonizer@0.33.4
@apollo/harmonizer@2.*
@apollo/harmonizer@2.0.0-alpha.0
@apollo/harmonizer@2.0.0-alpha.1
@apollo/harmonizer@2.0.0-alpha.6
@apollo/query-graphs@2.*
@apollo/query-graphs@2.0.0-alpha.0
@apollo/query-graphs@2.0.0-alpha.1
@apollo/query-graphs@2.0.0-alpha.6
@apollo/query-graphs@2.10.0
@apollo/query-graphs@2.10.1
@apollo/query-graphs@2.10.2
@apollo/query-graphs@2.10.3
@apollo/query-graphs@2.4.0
@apollo/query-graphs@2.4.0-alpha.0
@apollo/query-graphs@2.4.0-alpha.1
@apollo/query-graphs@2.5.0
@apollo/query-graphs@2.5.1
@apollo/query-graphs@2.5.2
@apollo/query-graphs@2.5.3
@apollo/query-graphs@2.5.4
@apollo/query-graphs@2.5.5
@apollo/query-graphs@2.5.6
@apollo/query-graphs@2.5.7
@apollo/query-graphs@2.6.1
@apollo/query-graphs@2.6.2
@apollo/query-graphs@2.7.0
@apollo/query-graphs@2.7.1
@apollo/query-graphs@2.7.2
@apollo/query-graphs@2.7.3
@apollo/query-graphs@2.7.4
@apollo/query-graphs@2.7.5
@apollo/query-graphs@2.7.6
@apollo/query-graphs@2.7.7
@apollo/query-graphs@2.8.0
@apollo/query-graphs@2.8.0-alpha.0
@apollo/query-graphs@2.8.0-alpha.1
@apollo/query-graphs@2.8.1
@apollo/query-graphs@2.8.2
@apollo/query-graphs@2.8.3
@apollo/query-graphs@2.8.4
@apollo/query-graphs@2.8.5
@apollo/query-graphs@2.9.0
@apollo/query-graphs@2.9.1
@apollo/query-graphs@2.9.2
@apollo/query-graphs@2.9.3
@apollo/query-graphs@2.9.4
@apollo/query-planner-wasm@0.*
@apollo/query-planner-wasm@0.0.10
@apollo/query-planner-wasm@0.0.3
@apollo/query-planner-wasm@0.0.4
@apollo/query-planner-wasm@0.0.5
@apollo/query-planner-wasm@0.0.6
@apollo/query-planner-wasm@0.0.7
@apollo/query-planner-wasm@0.0.8
@apollo/query-planner-wasm@0.0.9
@apollo/query-planner-wasm@0.1.1
@apollo/query-planner-wasm@0.1.2
@apollo/query-planner-wasm@0.2.0
@apollo/query-planner-wasm@0.2.1
@apollo/query-planner-wasm@0.2.2
@apollo/query-planner-wasm@0.2.3
@apollo/query-planner-wasm@0.2.4
@apollo/query-planner-wasm@0.2.6
@apollo/query-planner@0.*
@apollo/query-planner@0.0.11
@apollo/query-planner@0.0.12
@apollo/query-planner@0.0.13
@apollo/query-planner@0.0.14
@apollo/query-planner@0.1.1
@apollo/query-planner@0.1.2
@apollo/query-planner@0.1.3
@apollo/query-planner@0.1.4
@apollo/query-planner@0.2.0
@apollo/query-planner@0.2.1
@apollo/query-planner@0.2.2
@apollo/query-planner@0.3.1
@apollo/query-planner@0.4.0
@apollo/query-planner@0.5.2
@apollo/query-planner@2.*
@apollo/query-planner@2.0.0-alpha.0
@apollo/query-planner@2.0.0-alpha.1
@apollo/query-planner@2.0.0-alpha.6
@apollo/query-planner@2.10.0
@apollo/query-planner@2.10.1
@apollo/query-planner@2.10.2
@apollo/query-planner@2.10.3
@apollo/query-planner@2.4.0
@apollo/query-planner@2.4.0-alpha.0
@apollo/query-planner@2.4.0-alpha.1
@apollo/query-planner@2.5.0
@apollo/query-planner@2.5.1
@apollo/query-planner@2.5.2
@apollo/query-planner@2.5.3
@apollo/query-planner@2.5.4
@apollo/query-planner@2.5.5
@apollo/query-planner@2.5.6
@apollo/query-planner@2.5.7
@apollo/query-planner@2.6.1
@apollo/query-planner@2.6.2
@apollo/query-planner@2.7.0
@apollo/query-planner@2.7.1
@apollo/query-planner@2.7.2
@apollo/query-planner@2.7.3
@apollo/query-planner@2.7.4
@apollo/query-planner@2.7.5
@apollo/query-planner@2.7.6
@apollo/query-planner@2.7.7
@apollo/query-planner@2.8.0
@apollo/query-planner@2.8.0-alpha.0
@apollo/query-planner@2.8.0-alpha.1
@apollo/query-planner@2.8.1
@apollo/query-planner@2.8.2
@apollo/query-planner@2.8.3
@apollo/query-planner@2.8.4
@apollo/query-planner@2.8.5
@apollo/query-planner@2.9.0
@apollo/query-planner@2.9.1
@apollo/query-planner@2.9.2
@apollo/query-planner@2.9.3
@apollo/query-planner@2.9.4
@apollo/router-bridge@0.*
@apollo/router-bridge@0.1.1
@apollo/router-bridge@2.*
@apollo/router-bridge@2.0.0-alpha.0
@apollo/router-bridge@2.0.0-alpha.1
@apollo/router-bridge@2.0.0-alpha.6
@apollo/subgraph@0.*
@apollo/subgraph@0.1.3
@apollo/subgraph@2.*
@apollo/subgraph@2.0.0-alpha.0
@apollo/subgraph@2.0.0-alpha.1
@apollo/subgraph@2.0.0-alpha.6
@apollo/subgraph@2.10.0
@apollo/subgraph@2.10.1
@apollo/subgraph@2.10.2
@apollo/subgraph@2.10.3
@apollo/subgraph@2.4.0
@apollo/subgraph@2.4.0-alpha.0
@apollo/subgraph@2.4.0-alpha.1
@apollo/subgraph@2.5.0
@apollo/subgraph@2.5.1
@apollo/subgraph@2.5.2
@apollo/subgraph@2.5.3
@apollo/subgraph@2.5.4
@apollo/subgraph@2.5.5
@apollo/subgraph@2.5.6
@apollo/subgraph@2.5.7
@apollo/subgraph@2.6.1
@apollo/subgraph@2.6.2
@apollo/subgraph@2.7.0
@apollo/subgraph@2.7.1
@apollo/subgraph@2.7.2
@apollo/subgraph@2.7.3
@apollo/subgraph@2.7.4
@apollo/subgraph@2.7.5
@apollo/subgraph@2.7.6
@apollo/subgraph@2.7.7
@apollo/subgraph@2.8.0
@apollo/subgraph@2.8.0-alpha.0
@apollo/subgraph@2.8.0-alpha.1
@apollo/subgraph@2.8.1
@apollo/subgraph@2.8.2
@apollo/subgraph@2.8.3
@apollo/subgraph@2.8.4
@apollo/subgraph@2.8.5
@apollo/subgraph@2.9.0
@apollo/subgraph@2.9.1
@apollo/subgraph@2.9.2
@apollo/subgraph@2.9.3
@apollo/subgraph@2.9.4
apollo-federation-integration-testsuite@0.*
apollo-federation-integration-testsuite@0.20.1
apollo-federation-integration-testsuite@0.20.2
apollo-federation-integration-testsuite@0.20.3
apollo-federation-integration-testsuite@0.20.4
apollo-federation-integration-testsuite@0.20.5
apollo-federation-integration-testsuite@0.21.0
apollo-federation-integration-testsuite@0.22.0
apollo-federation-integration-testsuite@0.23.1
apollo-federation-integration-testsuite@0.23.2
apollo-federation-integration-testsuite@0.23.3
apollo-federation-integration-testsuite@0.24.0
apollo-federation-integration-testsuite@0.25.0
apollo-federation-integration-testsuite@0.25.1
apollo-federation-integration-testsuite@0.28.0
apollo-federation-integration-testsuite@0.30.0
apollo-federation-integration-testsuite@0.33.2
apollo-federation-integration-testsuite@2.*
apollo-federation-integration-testsuite@2.0.0-alpha.0
apollo-federation-integration-testsuite@2.0.0-alpha.1
apollo-federation-integration-testsuite@2.0.0-alpha.6
Other
pre-cli-removal
publish/20200918220443
publish/20200921213411
publish/20200924175307
publish/20200925115025
publish/20200925115037
publish/20200925115045
publish/20200925115054
publish/20200930151034
publish/20201109161401
publish/20201119213556
publish/20201120184033
publish/20201204223135
publish/20210114172739
publish/20210226192245
publish/20210226202753
publish/20210310080736
publish/20210310082711
publish/20210310092238
publish/20210310092738
publish/20210310114707
publish/20210331111626
publish/20210405205933
publish/20210422213358
publish/20210426214525
publish/20210429133001
publish/20210429171631
publish/20210503102213
publish/20210510202305
publish/20210525001653
publish/20210610145647
publish/20210616192610
publish/20210616215933
publish/20210622204946
publish/20210702103216
publish/20210702222118
publish/20210727175430
publish/20210803175107
publish/20210826121431
publish/20211103085729
publish/20220214110600
publish/20220309170101
publish/20220309171736
stargate@0.*
stargate@0.0.1-alpha.0
v0.*
v0.0.3
v0.1.10
v0.1.8
v0.1.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64530.json"