CVE-2025-32032

Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested and reused named fragments can generate many selections where this optimization does not apply, leading to significantly longer planning times. Because the query planner does not enforce a timeout, a small number of such queries can exhaust router's thread pool, rendering it inoperable. This could lead to excessive resource consumption and denial of service. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-04-01 CVE Reserved
2025-04-07 CVE Published
2025-04-08 CVE Updated
2025-04-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (3)

URL	Tag	Source
https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564	X_refsource_misc
https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952	X_refsource_misc
https://github.com/apollographql/router/security/advisories/GHSA-94hh-jmq8-2fgp	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apollographql Search vendor "Apollographql"		Router Search vendor "Apollographql" for product "Router"				< 1.61.2 Search vendor "Apollographql" for product "Router" and version " < 1.61.2"		en		Affected
Apollographql Search vendor "Apollographql"		Router Search vendor "Apollographql" for product "Router"				>= 2.0.0 < 2.1.1 Search vendor "Apollographql" for product "Router" and version " >= 2.0.0 < 2.1.1"		en		Affected