{"url":"http://public2.vulnerablecode.io/api/packages/898073?format=json","purl":"pkg:npm/%40apollo/composition@2.3.0","type":"npm","namespace":"@apollo","name":"composition","version":"2.3.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.9.5","latest_non_vulnerable_version":"2.12.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48374?format=json","vulnerability_id":"VCID-egqn-q2x7-ubcn","summary":"Apollo Federation has Improper Enforcement of Access Control on Transitive Fields\nA vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through `@requires` and/or `@fromContext` directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields indirectly through their dependencies, bypassing access control checks. A fix to composition logic in Federation now enforces that dependent fields match the access control requirements from of the fields they reference.","references":[{"reference_url":"https://github.com/apollographql/federation","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation"},{"reference_url":"https://github.com/apollographql/federation/commit/09e596e6a0c753071ca822e84f525d73ada395cf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation/commit/09e596e6a0c753071ca822e84f525d73ada395cf"},{"reference_url":"https://github.com/apollographql/federation/commit/0d8fca1c8cc375bb8486f11f339984b69267417d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation/commit/0d8fca1c8cc375bb8486f11f339984b69267417d"},{"reference_url":"https://github.com/apollographql/federation/commit/20c75d1d60a48fc289d88c8d29652f1afc7553e4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation/commit/20c75d1d60a48fc289d88c8d29652f1afc7553e4"},{"reference_url":"https://github.com/apollographql/federation/commit/e1c58611c3c996b4fff98a54e49f00549ff2115d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation/commit/e1c58611c3c996b4fff98a54e49f00549ff2115d"},{"reference_url":"https://github.com/advisories/GHSA-m8jr-fxqx-8xx6","reference_id":"GHSA-m8jr-fxqx-8xx6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m8jr-fxqx-8xx6"},{"reference_url":"https://github.com/apollographql/federation/security/advisories/GHSA-m8jr-fxqx-8xx6","reference_id":"GHSA-m8jr-fxqx-8xx6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation/security/advisories/GHSA-m8jr-fxqx-8xx6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71406?format=json","purl":"pkg:npm/%40apollo/composition@2.9.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/composition@2.9.5"},{"url":"http://public2.vulnerablecode.io/api/packages/71407?format=json","purl":"pkg:npm/%40apollo/composition@2.10.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/composition@2.10.4"},{"url":"http://public2.vulnerablecode.io/api/packages/71408?format=json","purl":"pkg:npm/%40apollo/composition@2.11.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/composition@2.11.5"},{"url":"http://public2.vulnerablecode.io/api/packages/71409?format=json","purl":"pkg:npm/%40apollo/composition@2.12.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/composition@2.12.1"}],"aliases":["GHSA-m8jr-fxqx-8xx6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-egqn-q2x7-ubcn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48385?format=json","vulnerability_id":"VCID-yccb-7ew1-fbct","summary":"@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields\nA vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead querying the implementing object types/fields in Apollo Router via inline or named fragments. A fix to composition logic in Federation now disallows interfaces types and fields to contain user-defined access control directives.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64530","reference_id":"","reference_type":"","scores":[{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33788","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33755","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33822","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33806","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0016","scoring_system":"epss","scoring_elements":"0.36651","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64530"},{"reference_url":"https://github.com/apollographql/federation","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation"},{"reference_url":"https://github.com/apollographql/federation/pull/3340","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation/pull/3340"},{"reference_url":"https://github.com/apollographql/federation/pull/3341","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation/pull/3341"},{"reference_url":"https://github.com/apollographql/federation/pull/3343","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation/pull/3343"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64530","reference_id":"CVE-2025-64530","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64530"},{"reference_url":"https://github.com/advisories/GHSA-mx7m-j9xf-62hw","reference_id":"GHSA-mx7m-j9xf-62hw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mx7m-j9xf-62hw"},{"reference_url":"https://github.com/apollographql/federation/security/advisories/GHSA-mx7m-j9xf-62hw","reference_id":"GHSA-mx7m-j9xf-62hw","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-14T15:57:29Z/"}],"url":"https://github.com/apollographql/federation/security/advisories/GHSA-mx7m-j9xf-62hw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71406?format=json","purl":"pkg:npm/%40apollo/composition@2.9.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/composition@2.9.5"},{"url":"http://public2.vulnerablecode.io/api/packages/71407?format=json","purl":"pkg:npm/%40apollo/composition@2.10.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/composition@2.10.4"},{"url":"http://public2.vulnerablecode.io/api/packages/71408?format=json","purl":"pkg:npm/%40apollo/composition@2.11.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/composition@2.11.5"},{"url":"http://public2.vulnerablecode.io/api/packages/71409?format=json","purl":"pkg:npm/%40apollo/composition@2.12.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/composition@2.12.1"}],"aliases":["CVE-2025-64530","GHSA-mx7m-j9xf-62hw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yccb-7ew1-fbct"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/composition@2.3.0"}