{"id":"CVE-2025-32030","summary":"Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion","details":"Apollo Gateway provides utilities for combining multiple GraphQL microservices into a single GraphQL endpoint. Prior to 2.10.1, a vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to excessive resource consumption and denial of service. This has been remediated in @apollo/gateway version 2.10.1.","aliases":["GHSA-q2f9-x4p4-7xmh"],"modified":"2026-04-10T05:25:06.393014Z","published":"2025-04-07T20:38:59.654Z","database_specific":{"cwe_ids":["CWE-770"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32030.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32030.json"},{"type":"ADVISORY","url":"https://github.com/apollographql/federation/security/advisories/GHSA-q2f9-x4p4-7xmh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32030"},{"type":"FIX","url":"https://github.com/apollographql/federation/pull/3236"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apollographql/federation","events":[{"introduced":"0"},{"fixed":"7ae758947bd51f0a7fced6bb4999556d20a68428"}]}],"versions":["2.2.0-rc.0","@apollo/composition@2.0.0-alpha.0","@apollo/composition@2.0.0-alpha.1","@apollo/composition@2.0.0-alpha.6","@apollo/composition@2.10.0","@apollo/composition@2.4.0","@apollo/composition@2.4.0-alpha.0","@apollo/composition@2.4.0-alpha.1","@apollo/composition@2.5.0","@apollo/composition@2.5.1","@apollo/composition@2.5.2","@apollo/composition@2.5.3","@apollo/composition@2.5.4","@apollo/composition@2.5.5","@apollo/composition@2.5.6","@apollo/composition@2.5.7","@apollo/composition@2.6.1","@apollo/composition@2.6.2","@apollo/composition@2.7.0","@apollo/composition@2.7.1","@apollo/composition@2.7.2","@apollo/composition@2.7.3","@apollo/composition@2.7.4","@apollo/composition@2.7.5","@apollo/composition@2.7.6","@apollo/composition@2.7.7","@apollo/composition@2.8.0","@apollo/composition@2.8.0-alpha.0","@apollo/composition@2.8.0-alpha.1","@apollo/composition@2.8.1","@apollo/composition@2.8.2","@apollo/composition@2.8.3","@apollo/composition@2.8.4","@apollo/composition@2.8.5","@apollo/composition@2.9.0","@apollo/composition@2.9.1","@apollo/composition@2.9.2","@apollo/composition@2.9.3","@apollo/federation-internals@2.0.0-alpha.0","@apollo/federation-internals@2.0.0-alpha.1","@apollo/federation-internals@2.0.0-alpha.6","@apollo/federation-internals@2.10.0","@apollo/federation-internals@2.4.0","@apollo/federation-internals@2.4.0-alpha.0","@apollo/federation-internals@2.4.0-alpha.1","@apollo/federation-internals@2.5.0","@apollo/federation-internals@2.5.1","@apollo/federation-internals@2.5.2","@apollo/federation-internals@2.5.3","@apollo/federation-internals@2.5.4","@apollo/federation-internals@2.5.5","@apollo/federation-internals@2.5.6","@apollo/federation-internals@2.5.7","@apollo/federation-internals@2.6.1","@apollo/federation-internals@2.6.2","@apollo/federation-internals@2.7.0","@apollo/federation-internals@2.7.1","@apollo/federation-internals@2.7.2","@apollo/federation-internals@2.7.3","@apollo/federation-internals@2.7.4","@apollo/federation-internals@2.7.5","@apollo/federation-internals@2.7.6","@apollo/federation-internals@2.7.7","@apollo/federation-internals@2.8.0","@apollo/federation-internals@2.8.0-alpha.0","@apollo/federation-internals@2.8.0-alpha.1","@apollo/federation-internals@2.8.1","@apollo/federation-internals@2.8.2","@apollo/federation-internals@2.8.3","@apollo/federation-internals@2.8.4","@apollo/federation-internals@2.8.5","@apollo/federation-internals@2.9.0","@apollo/federation-internals@2.9.1","@apollo/federation-internals@2.9.2","@apollo/federation-internals@2.9.3","@apollo/federation@0.20.1","@apollo/federation@0.20.2","@apollo/federation@0.20.3","@apollo/federation@0.20.4","@apollo/federation@0.20.5","@apollo/federation@0.20.6","@apollo/federation@0.20.7","@apollo/federation@0.21.0","@apollo/federation@0.21.1","@apollo/federation@0.21.2","@apollo/federation@0.22.0","@apollo/federation@0.23.1","@apollo/federation@0.23.2","@apollo/federation@0.24.0","@apollo/federation@0.25.0","@apollo/federation@0.25.1","@apollo/federation@0.25.2","@apollo/federation@0.27.1","@apollo/federation@0.28.0","@apollo/federation@0.30.0","@apollo/federation@0.33.4","@apollo/federation@2.0.0-alpha.0","@apollo/federation@2.0.0-alpha.1","@apollo/gateway@0.20.1","@apollo/gateway@0.20.2","@apollo/gateway@0.20.3","@apollo/gateway@0.20.4","@apollo/gateway@0.21.0","@apollo/gateway@0.21.1","@apollo/gateway@0.21.2","@apollo/gateway@0.21.3","@apollo/gateway@0.21.4","@apollo/gateway@0.22.0","@apollo/gateway@0.23.1","@apollo/gateway@0.23.2","@apollo/gateway@0.24.0","@apollo/gateway@0.24.1","@apollo/gateway@0.24.2","@apollo/gateway@0.24.3","@apollo/gateway@0.24.4","@apollo/gateway@0.25.1","@apollo/gateway@0.26.1","@apollo/gateway@0.26.2","@apollo/gateway@0.26.3","@apollo/gateway@0.27.0","@apollo/gateway@0.27.1","@apollo/gateway@0.28.0","@apollo/gateway@0.28.1","@apollo/gateway@0.28.2","@apollo/gateway@0.28.3","@apollo/gateway@0.29.0","@apollo/gateway@0.29.1","@apollo/gateway@0.30.0","@apollo/gateway@0.31.1","@apollo/gateway@0.32.0","@apollo/gateway@0.35.1","@apollo/gateway@0.36.0","@apollo/gateway@0.39.0","@apollo/gateway@0.42.4","@apollo/gateway@2.0.0-alpha.0","@apollo/gateway@2.0.0-alpha.1","@apollo/gateway@2.0.0-alpha.6","@apollo/gateway@2.10.0","@apollo/gateway@2.4.0","@apollo/gateway@2.4.0-alpha.0","@apollo/gateway@2.4.0-alpha.1","@apollo/gateway@2.5.0","@apollo/gateway@2.5.1","@apollo/gateway@2.5.2","@apollo/gateway@2.5.3","@apollo/gateway@2.5.4","@apollo/gateway@2.5.5","@apollo/gateway@2.5.6","@apollo/gateway@2.5.7","@apollo/gateway@2.6.1","@apollo/gateway@2.6.2","@apollo/gateway@2.7.0","@apollo/gateway@2.7.1","@apollo/gateway@2.7.2","@apollo/gateway@2.7.3","@apollo/gateway@2.7.4","@apollo/gateway@2.7.5","@apollo/gateway@2.7.6","@apollo/gateway@2.7.7","@apollo/gateway@2.8.0","@apollo/gateway@2.8.0-alpha.0","@apollo/gateway@2.8.0-alpha.1","@apollo/gateway@2.8.1","@apollo/gateway@2.8.2","@apollo/gateway@2.8.3","@apollo/gateway@2.8.4","@apollo/gateway@2.8.5","@apollo/gateway@2.9.0","@apollo/gateway@2.9.1","@apollo/gateway@2.9.2","@apollo/gateway@2.9.3","@apollo/harmonizer@0.1.2","@apollo/harmonizer@0.1.4","@apollo/harmonizer@0.1.5","@apollo/harmonizer@0.2.0","@apollo/harmonizer@0.2.4","@apollo/harmonizer@0.2.5","@apollo/harmonizer@0.28.1","@apollo/harmonizer@0.3.2","@apollo/harmonizer@0.3.3","@apollo/harmonizer@0.30.0","@apollo/harmonizer@0.33.4","@apollo/harmonizer@2.0.0-alpha.0","@apollo/harmonizer@2.0.0-alpha.1","@apollo/harmonizer@2.0.0-alpha.6","@apollo/query-graphs@2.0.0-alpha.0","@apollo/query-graphs@2.0.0-alpha.1","@apollo/query-graphs@2.0.0-alpha.6","@apollo/query-graphs@2.10.0","@apollo/query-graphs@2.4.0","@apollo/query-graphs@2.4.0-alpha.0","@apollo/query-graphs@2.4.0-alpha.1","@apollo/query-graphs@2.5.0","@apollo/query-graphs@2.5.1","@apollo/query-graphs@2.5.2","@apollo/query-graphs@2.5.3","@apollo/query-graphs@2.5.4","@apollo/query-graphs@2.5.5","@apollo/query-graphs@2.5.6","@apollo/query-graphs@2.5.7","@apollo/query-graphs@2.6.1","@apollo/query-graphs@2.6.2","@apollo/query-graphs@2.7.0","@apollo/query-graphs@2.7.1","@apollo/query-graphs@2.7.2","@apollo/query-graphs@2.7.3","@apollo/query-graphs@2.7.4","@apollo/query-graphs@2.7.5","@apollo/query-graphs@2.7.6","@apollo/query-graphs@2.7.7","@apollo/query-graphs@2.8.0","@apollo/query-graphs@2.8.0-alpha.0","@apollo/query-graphs@2.8.0-alpha.1","@apollo/query-graphs@2.8.1","@apollo/query-graphs@2.8.2","@apollo/query-graphs@2.8.3","@apollo/query-graphs@2.8.4","@apollo/query-graphs@2.8.5","@apollo/query-graphs@2.9.0","@apollo/query-graphs@2.9.1","@apollo/query-graphs@2.9.2","@apollo/query-graphs@2.9.3","@apollo/query-planner-wasm@0.0.10","@apollo/query-planner-wasm@0.0.3","@apollo/query-planner-wasm@0.0.4","@apollo/query-planner-wasm@0.0.5","@apollo/query-planner-wasm@0.0.6","@apollo/query-planner-wasm@0.0.7","@apollo/query-planner-wasm@0.0.8","@apollo/query-planner-wasm@0.0.9","@apollo/query-planner-wasm@0.1.1","@apollo/query-planner-wasm@0.1.2","@apollo/query-planner-wasm@0.2.0","@apollo/query-planner-wasm@0.2.1","@apollo/query-planner-wasm@0.2.2","@apollo/query-planner-wasm@0.2.3","@apollo/query-planner-wasm@0.2.4","@apollo/query-planner-wasm@0.2.6","@apollo/query-planner@0.0.11","@apollo/query-planner@0.0.12","@apollo/query-planner@0.0.13","@apollo/query-planner@0.0.14","@apollo/query-planner@0.1.1","@apollo/query-planner@0.1.2","@apollo/query-planner@0.1.3","@apollo/query-planner@0.1.4","@apollo/query-planner@0.2.0","@apollo/query-planner@0.2.1","@apollo/query-planner@0.2.2","@apollo/query-planner@0.3.1","@apollo/query-planner@0.4.0","@apollo/query-planner@0.5.2","@apollo/query-planner@2.0.0-alpha.0","@apollo/query-planner@2.0.0-alpha.1","@apollo/query-planner@2.0.0-alpha.6","@apollo/query-planner@2.10.0","@apollo/query-planner@2.4.0","@apollo/query-planner@2.4.0-alpha.0","@apollo/query-planner@2.4.0-alpha.1","@apollo/query-planner@2.5.0","@apollo/query-planner@2.5.1","@apollo/query-planner@2.5.2","@apollo/query-planner@2.5.3","@apollo/query-planner@2.5.4","@apollo/query-planner@2.5.5","@apollo/query-planner@2.5.6","@apollo/query-planner@2.5.7","@apollo/query-planner@2.6.1","@apollo/query-planner@2.6.2","@apollo/query-planner@2.7.0","@apollo/query-planner@2.7.1","@apollo/query-planner@2.7.2","@apollo/query-planner@2.7.3","@apollo/query-planner@2.7.4","@apollo/query-planner@2.7.5","@apollo/query-planner@2.7.6","@apollo/query-planner@2.7.7","@apollo/query-planner@2.8.0","@apollo/query-planner@2.8.0-alpha.0","@apollo/query-planner@2.8.0-alpha.1","@apollo/query-planner@2.8.1","@apollo/query-planner@2.8.2","@apollo/query-planner@2.8.3","@apollo/query-planner@2.8.4","@apollo/query-planner@2.8.5","@apollo/query-planner@2.9.0","@apollo/query-planner@2.9.1","@apollo/query-planner@2.9.2","@apollo/query-planner@2.9.3","@apollo/router-bridge@0.1.1","@apollo/router-bridge@2.0.0-alpha.0","@apollo/router-bridge@2.0.0-alpha.1","@apollo/router-bridge@2.0.0-alpha.6","@apollo/subgraph@0.1.3","@apollo/subgraph@2.0.0-alpha.0","@apollo/subgraph@2.0.0-alpha.1","@apollo/subgraph@2.0.0-alpha.6","@apollo/subgraph@2.10.0","@apollo/subgraph@2.4.0","@apollo/subgraph@2.4.0-alpha.0","@apollo/subgraph@2.4.0-alpha.1","@apollo/subgraph@2.5.0","@apollo/subgraph@2.5.1","@apollo/subgraph@2.5.2","@apollo/subgraph@2.5.3","@apollo/subgraph@2.5.4","@apollo/subgraph@2.5.5","@apollo/subgraph@2.5.6","@apollo/subgraph@2.5.7","@apollo/subgraph@2.6.1","@apollo/subgraph@2.6.2","@apollo/subgraph@2.7.0","@apollo/subgraph@2.7.1","@apollo/subgraph@2.7.2","@apollo/subgraph@2.7.3","@apollo/subgraph@2.7.4","@apollo/subgraph@2.7.5","@apollo/subgraph@2.7.6","@apollo/subgraph@2.7.7","@apollo/subgraph@2.8.0","@apollo/subgraph@2.8.0-alpha.0","@apollo/subgraph@2.8.0-alpha.1","@apollo/subgraph@2.8.1","@apollo/subgraph@2.8.2","@apollo/subgraph@2.8.3","@apollo/subgraph@2.8.4","@apollo/subgraph@2.8.5","@apollo/subgraph@2.9.0","@apollo/subgraph@2.9.1","@apollo/subgraph@2.9.2","@apollo/subgraph@2.9.3","apollo-federation-integration-testsuite@0.20.1","apollo-federation-integration-testsuite@0.20.2","apollo-federation-integration-testsuite@0.20.3","apollo-federation-integration-testsuite@0.20.4","apollo-federation-integration-testsuite@0.20.5","apollo-federation-integration-testsuite@0.21.0","apollo-federation-integration-testsuite@0.22.0","apollo-federation-integration-testsuite@0.23.1","apollo-federation-integration-testsuite@0.23.2","apollo-federation-integration-testsuite@0.23.3","apollo-federation-integration-testsuite@0.24.0","apollo-federation-integration-testsuite@0.25.0","apollo-federation-integration-testsuite@0.25.1","apollo-federation-integration-testsuite@0.28.0","apollo-federation-integration-testsuite@0.30.0","apollo-federation-integration-testsuite@0.33.2","apollo-federation-integration-testsuite@2.0.0-alpha.0","apollo-federation-integration-testsuite@2.0.0-alpha.1","apollo-federation-integration-testsuite@2.0.0-alpha.6","pre-cli-removal","publish/20200918220443","publish/20200921213411","publish/20200924175307","publish/20200925115025","publish/20200925115037","publish/20200925115045","publish/20200925115054","publish/20200930151034","publish/20201109161401","publish/20201119213556","publish/20201120184033","publish/20201204223135","publish/20210114172739","publish/20210226192245","publish/20210226202753","publish/20210310080736","publish/20210310082711","publish/20210310092238","publish/20210310092738","publish/20210310114707","publish/20210331111626","publish/20210405205933","publish/20210422213358","publish/20210426214525","publish/20210429133001","publish/20210429171631","publish/20210503102213","publish/20210510202305","publish/20210525001653","publish/20210610145647","publish/20210616192610","publish/20210616215933","publish/20210622204946","publish/20210702103216","publish/20210702222118","publish/20210727175430","publish/20210803175107","publish/20210826121431","publish/20211103085729","publish/20220214110600","publish/20220309170101","publish/20220309171736","stargate@0.0.1-alpha.0","v0.0.3","v0.1.10","v0.1.8","v0.1.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32030.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}