CVE-2025-32030

Apollo Gateway provides utilities for combining multiple GraphQL microservices into a single GraphQL endpoint. Prior to 2.10.1, a vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to excessive resource consumption and denial of service. This has been remediated in @apollo/gateway version 2.10.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/apollographql/federation/pull/3236	Issue Tracking Patch
https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1	Release Notes
https://github.com/apollographql/federation/security/advisories/GHSA-q2f9-x4p4-7xmh	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apollographql:apollo_gateway:*:*:*:*:*:node.js:*:*

History

01 Aug 2025, 16:52

Type	Values Removed	Values Added
References	~~() https://github.com/apollographql/federation/pull/3236 -~~	() https://github.com/apollographql/federation/pull/3236 - Issue Tracking, Patch
References	~~() https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1 -~~	() https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1 - Release Notes
References	~~() https://github.com/apollographql/federation/security/advisories/GHSA-q2f9-x4p4-7xmh -~~	() https://github.com/apollographql/federation/security/advisories/GHSA-q2f9-x4p4-7xmh - Vendor Advisory
CPE		cpe:2.3:a:apollographql:apollo_gateway::::::node.js::*
First Time		Apollographql Apollographql apollo Gateway

08 Apr 2025, 18:13

Type	Values Removed	Values Added
Summary		(es) Apollo Gateway proporciona utilidades para combinar múltiples microservicios GraphQL en un único endpoint GraphQL. Antes de la versión 2.10.1, una vulnerabilidad en Apollo Gateway hacía que las consultas con fragmentos con nombre profundamente anidados y reutilizados fueran excesivamente costosas de planificar, especialmente durante la expansión de fragmentos con nombre. Los fragmentos con nombre se expandían una vez por cada fragmento extendido durante la planificación, lo que provocaba un uso exponencial de recursos al involucrar fragmentos profundamente anidados y reutilizados. Esto podía provocar un consumo excesivo de recursos y denegación de servicio. Esto se ha solucionado en la versión 2.10.1 de @apollo/gateway.

07 Apr 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-07 21:15

Updated : 2025-08-01 16:52

NVD link : CVE-2025-32030

Mitre link : CVE-2025-32030

CVE.ORG link : CVE-2025-32030

JSON object : View

Products Affected

apollographql

apollo_gateway

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10