Apollo Federation Improper Access Control Bypass Vulnerability in Composition Logic

A vulnerability exists in Apollo Federation's composition logic in versions prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1. This vulnerability allows certain queries to Apollo Router to bypass access controls on types and fields. The issue arises because Apollo Federation incorrectly permitted user-defined access control directives on interface types and fields, which could be circumvented by querying the implementing object types and fields through inline or named fragments. The composition logic has been patched to disallow access control directives on interface types and fields, addressing this security gap.

Impact

Exploitation of this vulnerability could lead to unauthorized access by allowing queries to bypass defined access control requirements on interface types and fields, potentially exposing sensitive data or functionality.

Remediation

Users of Apollo Rover should update to version 2.9.5, 2.10.4, 2.11.5, or 2.12.1 and adjust access control requirements in their subgraph schemas. Customers using the Apollo Studio build pipeline with Federation version 2.9 or above will receive this update automatically but should still adjust access control requirements in their subgraph schemas. Those not using Apollo Router access control features or not specifying access control on interface types and fields are not affected and do not need to take action.