GHSA-M8JR-FXQX-8XX6

GHSA-M8JR-FXQX-8XX6 is a high-severity incorrect authorization vulnerability in @apollo/composition (npm), affecting versions < 2.9.5. It is fixed in 2.9.5, 2.10.4, 2.11.5, 2.12.1.

Summary

A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields indirectly through their dependencies, bypassing access control checks. A fix to composition logic in Federation now enforces that dependent fields match the access control requirements from of the fields they reference.

Details

Apollo Federation allows users to specify @authenticated, @requiresScopes, and @policy directives to protect fields at the field level. The @requires directive allows a field to depend on data from other fields in the schema, and @fromContext allows a field to use values from the execution context. However, Apollo Router does not enforce access control requirements on these transitively-accessed fields, and Apollo Federation did not require that fields using @requires or @fromContext have the same access control as the fields they depend on.

At execution time, when a field decorated with @requires or @fromContext was resolved, the Router would fetch the required dependency fields from subgraphs without checking whether those fields had their own access control requirements. Access control directives applied to these dependency fields were only enforced when those fields appeared explicitly in the query. If the protected fields were accessed solely as transitive dependencies (in other words, fetched to satisfy @requires or @fromContext but not directly requested) their access control requirements were silently ignored.

This discrepancy between where access controls could be defined (on any field) and where it was enforced (only on explicitly queried fields) leads to unexpected runtime security gaps.

Who is impacted

This vulnerability impacts Apollo Federation customers with supergraphs defining @authenticated, @requiresScopes, or @policy directives on fields that are also specified as dependencies in @requires or @fromContext directives.

Scope of Impact

The vulnerability could allow a malicious actor to craft a query that indirectly accesses protected fields, allowing them to bypass field-level access control. By querying only fields that depend on protected data (via @requires or @fromContext) without explicitly requesting the protected fields themselves, an attacker could retrieve sensitive information without meeting the access control requirements.

Workarounds

  • If you are using Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below, you should review your schema for any sensitive fields that are accessed via @requires or @fromContext and explicitly apply matching access control directives on those transitive fields. Alternatively, consider restructuring your schema so that protected fields are queried directly.
  • Customers not using Apollo Router access control features (@authenticated, @requiresScopes, or @policy directives) or not using @requires or @fromContext directives in combination with field-level access control are not affected and do not need to take action.

Impact

The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.

GHSA-M8JR-FXQX-8XX6 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.9.5, 2.10.4, 2.11.5, 2.12.1); upgrading removes the vulnerable code path.

Affected versions

@apollo/composition (< 2.9.5) @apollo/composition (>= 2.10.0-alpha.3, < 2.10.4) @apollo/composition (>= 2.11.0-preview.1, < 2.11.5) @apollo/composition (>= 2.12.0-preview.0, < 2.12.1)

Security releases

@apollo/composition → 2.9.5 (npm) @apollo/composition → 2.10.4 (npm) @apollo/composition → 2.11.5 (npm) @apollo/composition → 2.12.1 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

This vulnerability has been fixed in Apollo Federation by updating composition logic to validate that access control requirements on @requires and @fromContext dependency fields match the resolving field's requirements.

Note that this is a breaking change to Apollo Federation, as it no longer allows fields using @requires or @fromContext to have different access control directives from the fields they depend on. You will need to update your subgraphs to ensure that the access control requirements on fields using @requires or @fromContext match the access control directives on the referenced fields.

If you are using the Apollo Studio build pipeline with Federation version 2.9 or above, then this patch version update is automatic and you only need to adjust the access control requirements in your subgraph schemas as mentioned above.

If you are using Apollo Rover for local composition, you will need to update its composition version (after updating Apollo Router, if necessary) to one of the following versions:

  • 2.9.5+
  • 2.10.4+
  • 2.11.5+
  • 2.12.1+

You will then need to adjust the access control requirements in your subgraph schemas as mentioned above.

Frequently Asked Questions

  1. What is GHSA-M8JR-FXQX-8XX6? GHSA-M8JR-FXQX-8XX6 is a high-severity incorrect authorization vulnerability in @apollo/composition (npm), affecting versions < 2.9.5. It is fixed in 2.9.5, 2.10.4, 2.11.5, 2.12.1. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
  2. How severe is GHSA-M8JR-FXQX-8XX6? GHSA-M8JR-FXQX-8XX6 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @apollo/composition are affected by GHSA-M8JR-FXQX-8XX6? @apollo/composition (npm) versions < 2.9.5 is affected.
  4. Is there a fix for GHSA-M8JR-FXQX-8XX6? Yes. GHSA-M8JR-FXQX-8XX6 is fixed in 2.9.5, 2.10.4, 2.11.5, 2.12.1. Upgrade to this version or later.
  5. Is GHSA-M8JR-FXQX-8XX6 exploitable, and should I be worried? Whether GHSA-M8JR-FXQX-8XX6 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-M8JR-FXQX-8XX6 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-M8JR-FXQX-8XX6?
    • Upgrade @apollo/composition to 2.9.5 or later
    • Upgrade @apollo/composition to 2.10.4 or later
    • Upgrade @apollo/composition to 2.11.5 or later
    • Upgrade @apollo/composition to 2.12.1 or later

Other vulnerabilities in @apollo/composition

Stop the waste.
Protect your environment with Kodem.