CVE-2025-32034 Overview
CVE-2025-32034 affects the Apollo Router Core, a high-performance graph router written in Rust for federated supergraphs using Apollo Federation 2. The vulnerability allows unauthenticated attackers to submit GraphQL queries containing deeply nested and reused named fragments. During query planning, the router expands each named fragment once per fragment spread, producing exponential resource usage. This behavior enables a denial of service condition through excessive CPU and memory consumption. The flaw is tracked as [CWE-770: Allocation of Resources Without Limits or Throttling]. Apollo addressed the issue in apollo-router versions 1.61.2 and 2.1.1.
Critical Impact
A remote unauthenticated attacker can trigger exponential resource consumption during GraphQL query planning, causing denial of service against the Apollo Router.
Affected Products
- Apollo Router Core versions prior to 1.61.2
- Apollo Router Core versions 2.0.0 through versions prior to 2.1.1
- Federated supergraphs built on Apollo Federation 2 using vulnerable router builds
Discovery Timeline
- 2025-04-07 - CVE-2025-32034 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-32034
Vulnerability Analysis
The Apollo Router constructs an execution plan for every incoming GraphQL operation. Query planning includes a stage that expands named fragments referenced through fragment spreads. The vulnerable implementation re-expands each named fragment for every spread that references it.
When fragments reference other fragments, expansion compounds at each level. A query containing N levels of nested fragments with K spreads per level produces work proportional to K^N. The planner becomes the bottleneck before any data is fetched from subgraphs.
Because the work occurs during planning rather than execution, standard execution timeouts and depth limits do not constrain it. The router thread consumes CPU and allocates memory until limits are exceeded or the process becomes unresponsive. The weakness is classified under [CWE-770].
Root Cause
The query planner lacked memoization or caching of expanded fragment definitions. Each fragment spread triggered a fresh expansion, including recursive expansion of any nested fragments. The fix introduces deduplicated expansion so a fragment is processed once regardless of how many times it is referenced.
Attack Vector
An attacker sends a single crafted GraphQL document over the network to any endpoint served by the Apollo Router. No authentication or user interaction is required when the GraphQL endpoint is reachable. The malicious operation contains a small set of named fragments that recursively spread one another. The router accepts the request, enters the planning stage, and exhausts available resources. Repeated requests amplify the impact across worker threads. Verified code examples for this issue were not released; refer to the Apollo GitHub Security Advisory GHSA-75m2-jhh5-j5g2 for technical details.
Detection Methods for CVE-2025-32034
Indicators of Compromise
- Sustained high CPU utilization on Apollo Router processes correlated with inbound GraphQL POST requests
- Memory growth in the router process followed by out-of-memory terminations or restarts
- Query planning latency spikes recorded in router telemetry without corresponding subgraph load
- GraphQL request bodies containing many fragment definitions with reciprocal ...FragmentName spreads
Detection Strategies
- Inspect inbound GraphQL operations for unusually high counts of named fragment definitions and fragment spreads per request
- Alert on Apollo Router metrics such as apollo_router_query_planning_time exceeding baseline thresholds
- Correlate web application firewall logs with router CPU and memory metrics to identify single requests that precede saturation
Monitoring Recommendations
- Enable Apollo Router telemetry export to a centralized observability backend and track planning duration percentiles
- Set per-request size and complexity limits in the upstream proxy or API gateway in front of the router
- Monitor process restarts and orchestrator events for the router workload to detect resource exhaustion patterns
How to Mitigate CVE-2025-32034
Immediate Actions Required
- Upgrade Apollo Router to version 1.61.2 for the 1.x branch or 2.1.1 for the 2.x branch
- Restrict access to the GraphQL endpoint where feasible using authentication, network policy, or rate limiting
- Apply request body size limits at the load balancer or ingress layer to reject oversized GraphQL documents
Patch Information
Apollo released fixes in apollo-router 1.61.2 and 2.1.1. The remediation removes redundant fragment expansion during query planning. Review the upstream commits at apollographql/router commit ab6675a and apollographql/router commit bba032e, and the GitHub Security Advisory GHSA-75m2-jhh5-j5g2 for full details.
Workarounds
- Place persisted queries in front of the router so only pre-approved operations reach the planner
- Enforce GraphQL operation depth, breadth, and fragment count limits at an API gateway
- Configure aggressive request timeouts and CPU/memory cgroup limits on the router process to contain impact until patches are applied
# Configuration example
# Upgrade Apollo Router via cargo or container image
cargo install apollo-router --version 1.61.2
# or for the 2.x branch
cargo install apollo-router --version 2.1.1
# Verify the running version
./router --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
