CVE-2025-32030
HIGHApollo Gateway < 2.10.1 - Denial of Service via Named Fragment Expansion
Title source: llmDescription
Apollo Gateway provides utilities for combining multiple GraphQL microservices into a single GraphQL endpoint. Prior to 2.10.1, a vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to excessive resource consumption and denial of service. This has been remediated in @apollo/gateway version 2.10.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/apollographql/federation/security/advisories/GHSA-q2f9-x4p4-7xmh
Issue Tracking, Patch x_refsource_misc
https://github.com/apollographql/federation/pull/3236
Release Notes x_refsource_misc
https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1
Scores
CVSS v3
7.5
EPSS
0.0043
EPSS Percentile
34.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
apollo/gateway
0 - 2.10.1npm
apollographql/apollo_gateway
< 2.10.1
Published
Apr 07, 2025
Tracked Since
Feb 18, 2026