CVE - CVE-2025-32032

CVE-ID
CVE-2025-32032	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested and reused named fragments can generate many selections where this optimization does not apply, leading to significantly longer planning times. Because the query planner does not enforce a timeout, a small number of such queries can exhaust router's thread pool, rendering it inoperable. This could lead to excessive resource consumption and denial of service. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564 URL:https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564 MISC:https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952 URL:https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952 MISC:https://github.com/apollographql/router/security/advisories/GHSA-94hh-jmq8-2fgp URL:https://github.com/apollographql/router/security/advisories/GHSA-94hh-jmq8-2fgp
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20250401	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20250401)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)