Vulnerabilites related to apollographql - router
CVE-2024-28101 (GCVE-0-2024-28101)
Vulnerability from cvelistv5
Published
2024-03-06 21:07
Modified
2024-08-05 16:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Summary
The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the `limits.http_max_request_bytes` configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory consumption while the compressed payload is expanded. Router version 1.40.2 has a fix for the vulnerability. Those who are unable to upgrade may be able to implement mitigations at proxies or load balancers positioned in front of their Router fleet (e.g. Nginx, HAProxy, or cloud-native WAF services) by creating limits on HTTP body upload size.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: >= 0.9.5, < 1.40.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-cgqf-3cq5-wvcj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-cgqf-3cq5-wvcj"
},
{
"name": "https://github.com/apollographql/router/commit/9e9527c73c8f34fc8438b09066163cd42520f413",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apollographql/router/commit/9e9527c73c8f34fc8438b09066163cd42520f413"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apollo_router",
"vendor": "apollographql",
"versions": [
{
"lessThan": "1.40.2",
"status": "affected",
"version": "0.9.5",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T16:54:18.252100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T16:57:05.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.5, \u003c 1.40.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the `limits.http_max_request_bytes` configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory consumption while the compressed payload is expanded. Router version 1.40.2 has a fix for the vulnerability. Those who are unable to upgrade may be able to implement mitigations at proxies or load balancers positioned in front of their Router fleet (e.g. Nginx, HAProxy, or cloud-native WAF services) by creating limits on HTTP body upload size. \n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T21:07:36.476Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-cgqf-3cq5-wvcj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-cgqf-3cq5-wvcj"
},
{
"name": "https://github.com/apollographql/router/commit/9e9527c73c8f34fc8438b09066163cd42520f413",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/9e9527c73c8f34fc8438b09066163cd42520f413"
}
],
"source": {
"advisory": "GHSA-cgqf-3cq5-wvcj",
"discovery": "UNKNOWN"
},
"title": "Apollo Router\u0027s Compressed Payloads do not respect HTTP Payload Limits"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28101",
"datePublished": "2024-03-06T21:07:36.476Z",
"dateReserved": "2024-03-04T14:19:14.058Z",
"dateUpdated": "2024-08-05T16:57:05.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32971 (GCVE-0-2024-32971)
Vulnerability from cvelistv5
Published
2024-05-02 06:43
Modified
2024-08-02 02:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router’s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don’t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: >=1.44.0, <1.45.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apollo_router",
"vendor": "apollographql",
"versions": [
{
"lessThan": "1.45.1",
"status": "affected",
"version": "1.44.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32971",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T15:09:53.762624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T20:56:05.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:52.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"
},
{
"name": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"
},
{
"name": "https://github.com/apollographql/router/releases/tag/v1.45.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.45.1"
},
{
"name": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003e=1.44.0, \u003c1.45.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "CWE-670: Always-Incorrect Control Flow Implementation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440: Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T06:43:27.646Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"
},
{
"name": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"
},
{
"name": "https://github.com/apollographql/router/releases/tag/v1.45.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.45.1"
},
{
"name": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"
}
],
"source": {
"advisory": "GHSA-q9p4-hw9m-fj2v",
"discovery": "UNKNOWN"
},
"title": "Defect in query plan cache may cause incorrect operations to be executed in Apollo Router"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32971",
"datePublished": "2024-05-02T06:43:27.646Z",
"dateReserved": "2024-04-22T15:14:59.165Z",
"dateUpdated": "2024-08-02T02:27:52.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45812 (GCVE-0-2023-45812)
Vulnerability from cvelistv5
Published
2023-10-18 21:29
Modified
2024-09-13 15:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Summary
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: >= 1.31.0, < 1.33.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj"
},
{
"name": "https://github.com/apollographql/router/pull/4014",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apollographql/router/pull/4014"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apollographql:apollo_router:1.31.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apollo_router",
"vendor": "apollographql",
"versions": [
{
"lessThanOrEqual": "1.33.0",
"status": "affected",
"version": "1.31.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45812",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T14:58:32.929626Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T15:02:17.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.31.0, \u003c 1.33.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-18T21:29:32.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj"
},
{
"name": "https://github.com/apollographql/router/pull/4014",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/pull/4014"
}
],
"source": {
"advisory": "GHSA-r344-xw3p-2frj",
"discovery": "UNKNOWN"
},
"title": "Improper Check or Handling of Exceptional Conditions in apollo-router"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45812",
"datePublished": "2023-10-18T21:29:32.731Z",
"dateReserved": "2023-10-13T12:00:50.437Z",
"dateUpdated": "2024-09-13T15:02:17.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32380 (GCVE-0-2025-32380)
Vulnerability from cvelistv5
Published
2025-04-09 16:05
Modified
2025-04-09 20:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router's usage of Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. This could lead to excessive resource consumption and denial of service. Apollo Router's usage of Apollo Compiler has been updated so that validation logic processes each named fragment only once, preventing redundant traversal. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: < 1.61.2 Version: >= 2.0.0-alpha.0, < 2.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T17:28:24.099060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T20:43:06.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003c 1.61.2"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.0, \u003c 2.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router\u0027s usage of Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. This could lead to excessive resource consumption and denial of service. Apollo Router\u0027s usage of Apollo Compiler has been updated so that validation logic processes each named fragment only once, preventing redundant traversal. This has been remediated in apollo-router versions 1.61.2 and 2.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T16:05:45.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-3j43-9v8v-cp3f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-3j43-9v8v-cp3f"
},
{
"name": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564"
},
{
"name": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952"
}
],
"source": {
"advisory": "GHSA-3j43-9v8v-cp3f",
"discovery": "UNKNOWN"
},
"title": "Apollo Router Query Validation Vulnerable to Excessive Resource Consumption via Named Fragment Processing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32380",
"datePublished": "2025-04-09T16:05:45.994Z",
"dateReserved": "2025-04-06T19:46:02.462Z",
"dateUpdated": "2025-04-09T20:43:06.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43783 (GCVE-0-2024-43783)
Vulnerability from cvelistv5
Published
2024-08-27 17:16
Modified
2024-08-27 18:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions >=1.21.0 and < 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. Instances of the Apollo Router running versions >=1.7.0 and <1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance).
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: >=1.7.0, < 1.52.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apollo_router",
"vendor": "apollographql",
"versions": [
{
"lessThan": "1.52.1",
"status": "affected",
"version": "1.7.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43783",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T18:04:15.713167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T18:06:45.142Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003e=1.7.0, \u003c 1.52.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions \u003e=1.21.0 and \u003c 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. Instances of the Apollo Router running versions \u003e=1.7.0 and \u003c1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T17:16:28.571Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-x6xq-whh3-gg32",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-x6xq-whh3-gg32"
},
{
"name": "https://github.com/apollographql/router/commit/7a9c020608a62dcaa306b72ed0f6980f15923b14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/7a9c020608a62dcaa306b72ed0f6980f15923b14"
},
{
"name": "https://github.com/apollographql/router/releases/tag/v1.52.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.52.1"
},
{
"name": "https://www.apollographql.com/docs/router/configuration/overview/#request-limits",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.apollographql.com/docs/router/configuration/overview/#request-limits"
},
{
"name": "https://www.apollographql.com/docs/router/customizations/coprocessor",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.apollographql.com/docs/router/customizations/coprocessor"
},
{
"name": "https://www.apollographql.com/docs/router/customizations/native",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.apollographql.com/docs/router/customizations/native"
}
],
"source": {
"advisory": "GHSA-x6xq-whh3-gg32",
"discovery": "UNKNOWN"
},
"title": "Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43783",
"datePublished": "2024-08-27T17:16:28.571Z",
"dateReserved": "2024-08-16T14:20:37.323Z",
"dateUpdated": "2024-08-27T18:06:45.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41317 (GCVE-0-2023-41317)
Vulnerability from cvelistv5
Published
2023-09-05 18:31
Modified
2024-09-30 19:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Summary
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. It can be triggered when **all of the following conditions are met**: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 ("impacted versions"); **and** 2. The Supergraph schema provided to the Router (either via Apollo Uplink or explicitly via other configuration) **has a `subscription` type** with root-fields defined; **and** 3. The YAML configuration provided to the Router **has subscriptions enabled** (they are _disabled_ by default), either by setting `enabled: true` _or_ by setting a valid `mode` within the `subscriptions` object (as seen in [subscriptions' documentation](https://www.apollographql.com/docs/router/executing-operations/subscription-support/#router-setup)); **and** 4. An [anonymous](https://spec.graphql.org/draft/#sec-Anonymous-Operation-Definitions) (i.e., un-named) `subscription` operation (e.g., `subscription { ... }`) is received by the Router If **all four** of these criteria are met, the impacted versions will panic and terminate. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability. This is fixed in Apollo Router v1.29.1. Users are advised to upgrade. Updating to v1.29.1 should be a clear and simple upgrade path for those running impacted versions. However, if Subscriptions are **not** necessary for your Graph – but are enabled via configuration — then disabling subscriptions is another option to mitigate the risk.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: >= 1.28.0, < 1.29.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:54:05.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx"
},
{
"name": "https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa"
},
{
"name": "https://github.com/apollographql/router/releases/tag/v1.29.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.29.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T19:17:04.266143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T19:17:12.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.28.0, \u003c 1.29.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. It can be triggered when **all of the following conditions are met**: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 (\"impacted versions\"); **and** 2. The Supergraph schema provided to the Router (either via Apollo Uplink or explicitly via other configuration)\u00a0**has a `subscription` type** with root-fields defined; **and** 3. The YAML configuration provided to the Router **has subscriptions enabled** (they are _disabled_ by default), either by setting `enabled: true` _or_ by setting a valid `mode` within the `subscriptions` object (as seen in [subscriptions\u0027 documentation](https://www.apollographql.com/docs/router/executing-operations/subscription-support/#router-setup)); **and** 4. An [anonymous](https://spec.graphql.org/draft/#sec-Anonymous-Operation-Definitions) (i.e., un-named) `subscription` operation (e.g., `subscription { ... }`) is received by the Router If **all four** of these criteria are met, the impacted versions will panic and terminate. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability. This is fixed in Apollo Router v1.29.1. Users are advised to upgrade. Updating to v1.29.1 should be a clear and simple upgrade path for those running impacted versions. However, if Subscriptions are **not** necessary for your Graph \u2013 but are enabled via configuration \u2014 then disabling subscriptions is another option to mitigate the risk."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-05T18:31:43.185Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx"
},
{
"name": "https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa"
},
{
"name": "https://github.com/apollographql/router/releases/tag/v1.29.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.29.1"
}
],
"source": {
"advisory": "GHSA-w8vq-3hf9-xppx",
"discovery": "UNKNOWN"
},
"title": "Unnamed \"Subscription\" operation results in Denial-of-Service in apollographql/router"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41317",
"datePublished": "2023-09-05T18:31:43.185Z",
"dateReserved": "2023-08-28T16:56:43.365Z",
"dateUpdated": "2024-09-30T19:17:12.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32032 (GCVE-0-2025-32032)
Vulnerability from cvelistv5
Published
2025-04-07 20:44
Modified
2025-04-08 14:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested and reused named fragments can generate many selections where this optimization does not apply, leading to significantly longer planning times. Because the query planner does not enforce a timeout, a small number of such queries can exhaust router's thread pool, rendering it inoperable. This could lead to excessive resource consumption and denial of service. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: < 1.61.2 Version: >= 2.0.0-alpha.0, < 2.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T14:27:15.384286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T14:52:25.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003c 1.61.2"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.0, \u003c 2.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested and reused named fragments can generate many selections where this optimization does not apply, leading to significantly longer planning times. Because the query planner does not enforce a timeout, a small number of such queries can exhaust router\u0027s thread pool, rendering it inoperable. This could lead to excessive resource consumption and denial of service. This has been remediated in apollo-router versions 1.61.2 and 2.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T20:44:30.050Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-94hh-jmq8-2fgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-94hh-jmq8-2fgp"
},
{
"name": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564"
},
{
"name": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952"
}
],
"source": {
"advisory": "GHSA-94hh-jmq8-2fgp",
"discovery": "UNKNOWN"
},
"title": "Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32032",
"datePublished": "2025-04-07T20:44:30.050Z",
"dateReserved": "2025-04-01T21:57:32.958Z",
"dateUpdated": "2025-04-08T14:52:25.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32034 (GCVE-0-2025-32034)
Vulnerability from cvelistv5
Published
2025-04-07 20:50
Modified
2025-04-08 13:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, a vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to excessive resource consumption and denial of service. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: < 1.61.2 Version: >= 2.0.0-alpha.0, < 2.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32034",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T13:30:34.374049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T13:30:44.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003c 1.61.2"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.0, \u003c 2.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, a vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to excessive resource consumption and denial of service. This has been remediated in apollo-router versions 1.61.2 and 2.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T20:50:29.690Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-75m2-jhh5-j5g2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-75m2-jhh5-j5g2"
},
{
"name": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564"
},
{
"name": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952"
}
],
"source": {
"advisory": "GHSA-75m2-jhh5-j5g2",
"discovery": "UNKNOWN"
},
"title": "Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32034",
"datePublished": "2025-04-07T20:50:29.690Z",
"dateReserved": "2025-04-01T21:57:32.959Z",
"dateUpdated": "2025-04-08T13:30:44.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32033 (GCVE-0-2025-32033)
Vulnerability from cvelistv5
Published
2025-04-07 20:48
Modified
2025-04-08 13:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Summary
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query's height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: < 1.61.2 Version: >= 2.0.0-alpha.0, < 2.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T13:31:30.359125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T13:31:44.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003c 1.61.2"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.0, \u003c 2.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query\u0027s height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments. This has been remediated in apollo-router versions 1.61.2 and 2.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T20:48:19.504Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-84m6-5m72-45fp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-84m6-5m72-45fp"
},
{
"name": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564"
},
{
"name": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952"
}
],
"source": {
"advisory": "GHSA-84m6-5m72-45fp",
"discovery": "UNKNOWN"
},
"title": "Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32033",
"datePublished": "2025-04-07T20:48:19.504Z",
"dateReserved": "2025-04-01T21:57:32.958Z",
"dateUpdated": "2025-04-08T13:31:44.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}