Incorrect Authorization Affecting @apollo/composition package, versions <2.9.5>=2.10.0-alpha.0 <2.10.4>=2.11.0-preview.0 <2.11.5-preview.0>=2.12.0-preview.0 <2.12.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Incorrect Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-APOLLOCOMPOSITION-14038234
- published16 Nov 2025
- disclosed14 Nov 2025
- creditUnknown
Introduced: 14 Nov 2025
NewCVE-2025-64172 (opens in a new tab)How to fix?
Upgrade @apollo/composition to version 2.9.5, 2.10.4, 2.11.5-preview.0, 2.12.1 or higher.
Overview
@apollo/composition is an Apollo Federation composition utilities
Affected versions of this package are vulnerable to Incorrect Authorization via the composition logic, which failed to validate that fields have the same access control requirements as the data they reference. An attacker can retrieve sensitive information by crafting queries that access protected fields indirectly through dependencies defined with @requires or @fromContext directives, thereby bypassing intended access control checks.
Note: This vulnerability only affects users of Apollo Router access control features (@authenticated, @requiresScopes, or @policy directives) that utilize @requires or @fromContext directives in combination with field-level access control.
Workaround
If using Apollo Rover with an unpatched version or Apollo Studio with Federation version 2.8 or lower, check your schema for sensitive fields accessed via @requires or @fromContext. You can apply proper access control directives to those fields or consider restructuring your schema to query protected fields directly.