Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-32030

Apollo Gateway provides utilities for combining multiple GraphQL microservices into a single GraphQL endpoint. Prior to 2.10.1, a vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to excessive resource consumption and denial of service. This has been remediated in @apollo/gateway version 2.10.1.

Published

2025-04-07T21:15:43.037

Last Modified

2025-08-01T16:52:41.117

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-770

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apollographql	apollo_gateway	< 2.10.1	Yes

References

https://github.com/apollographql/federation/pull/3236 Issue Tracking, Patch ([email protected])
https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1 Release Notes ([email protected])
https://github.com/apollographql/federation/security/advisories/GHSA-q2f9-x4p4-7xmh Vendor Advisory ([email protected])