CVE-2025-64530: @apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
A vulnerability in Apollo Federation’s composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead querying the implementing object types/fields in Apollo Router via inline or named fragments. A fix to composition logic in Federation now disallows interfaces types and fields to contain user-defined access control directives.
References
- github.com/advisories/GHSA-mx7m-j9xf-62hw
- github.com/apollographql/federation
- github.com/apollographql/federation/pull/3340
- github.com/apollographql/federation/pull/3341
- github.com/apollographql/federation/pull/3343
- github.com/apollographql/federation/security/advisories/GHSA-mx7m-j9xf-62hw
- nvd.nist.gov/vuln/detail/CVE-2025-64530
Code Behaviors & Features
Detect and mitigate CVE-2025-64530 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →