Unnamed "Subscription" operation results in Denial-of-Service in apollographql/router
CVE-2023-41317

7.5HIGH

Key Information:

Vendor

Apollographql

Status
Router
Vendor
CVE Published:
5 September 2023

What is CVE-2023-41317?

The Apollo Router, a high-performance graph router, is vulnerable to a Denial-of-Service attack when GraphQL Subscriptions are enabled in specific configurations. This issue arises in versions 1.28.0, 1.28.1, and 1.29.0 when all four conditions are met: running the impacted version, having a Supergraph schema with a defined subscription type, enabling subscriptions in the YAML configuration, and receiving an anonymous subscription operation. When triggered, this vulnerability causes the Router to panic and terminate. It is crucial for users of affected versions to upgrade to v1.29.1 or disable subscriptions if they are not needed. No data privacy threat exists with this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

router >= 1.28.0, < 1.29.1

References

https://github.com/apollographql/router/security/advisori...
x_refsource_CONFIRM
https://github.com/apollographql/router/commit/b295c103dd...
x_refsource_MISC
https://github.com/apollographql/router/releases/tag/v1.29.1
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.