CVE-2025-32033 – apollo-router

Package

Manager: cargo
Name: apollo-router
Vulnerable Version: >=0 <1.61.2 || >=2.0.0-alpha.0 <2.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00049 pctl0.14934

Details

Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow # Impact ## Summary A vulnerability in Apollo Router allowed certain queries to bypass configured operation limits, specifically due to integer overflow. ## Details The operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query's height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments. ## Fix/Mitigation Logic was updated to ensure counter overflow is handled correctly and does not wrap around to 0. # Patches This has been remediated in `apollo-router` versions 1.61.2 and 2.1.1. # Workarounds The only known workaround is "Safelisting" or "Safelisting with IDs only" per [Safelisting with Persisted Queries - Apollo GraphQL Docs](https://www.apollographql.com/docs/graphos/routing/security/persisted-queries#router-security-levels). ## Acknowledgements We appreciate the efforts of the security community in identifying and improving the performance and security of operation limiting mechanisms.

Metadata

Created: 2025-04-07T18:59:21Z
Modified: 2025-04-08T17:50:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-84m6-5m72-45fp/GHSA-84m6-5m72-45fp.json
CWE IDs: ["CWE-190"]
Alternative ID: GHSA-84m6-5m72-45fp
Finding: F111
Auto approve: 1