CVE-2025-32033

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-32033
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query's height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564
https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952
https://github.com/apollographql/router/security/advisories/GHSA-84m6-5m72-45fp
Configurations

No configuration.

History

08 Apr 2025, 18:13

Type Values Removed Values Added
Summary
  • (es) Apollo Router Core es un enrutador de gráficos configurable y de alto rendimiento, escrito en Rust, para ejecutar un supergrafo federado que utiliza Apollo Federation 2. Antes de las versiones 1.61.2 y 2.1.1, el complemento de los límites de operación utilizaba enteros de 32 bits sin signo para controlar los contadores de los límites (por ejemplo, la altura de una consulta). Si un contador superaba el valor máximo para este tipo de dato (4 294 967 295), se reiniciaba a 0, lo que permitía involuntariamente que las consultas superaran los umbrales configurados. Esto podía ocurrir en consultas grandes si el límite de payload se aumentaba lo suficiente, pero también en consultas pequeñas con fragmentos con nombre profundamente anidados y reutilizados. Esto se ha solucionado en las versiones 1.61.2 y 2.1.1 de apollo-router.

07 Apr 2025, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-07 21:15

Updated : 2025-04-08 18:13

NVD link : CVE-2025-32033

Mitre link : CVE-2025-32033

CVE.ORG link : CVE-2025-32033

JSON object : View

Products Affected

No product.

CWE
CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer