Apollo Router Vulnerable to Denial-of-Service (DoS) Attacks
CVE-2024-28101

7.5HIGH

Key Information:

Vendor: Apollographql
Status: Router
Vendor: CVE Published:; 21 March 2024

🔔 Create Apollographql Vulnerability Alert

What is CVE-2024-28101?

The Apollo Router, developed in Rust for navigating a federated supergraph using Apollo Federation, is susceptible to a Denial-of-Service vulnerability in versions ranging from 0.9.5 to 1.40.2. This vulnerability arises when the Router processes compressed HTTP payloads, evaluating the configuration setting limits.http_max_request_bytes only after the complete payload is decompressed. As a result, if the Router receives a highly compressed payload, it can lead to excessive memory usage during decompression, potentially causing service disruptions. Version 1.40.2 has addressed this issue. Users who cannot promptly upgrade may implement mitigations through configurations at proxies, load balancers, or cloud-native WAF services, setting limits on the size of HTTP body uploads.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

router >= 0.9.5, < 1.40.2

References

https://github.com/apollographql/router/security/advisori...

x_refsource_CONFIRM

https://github.com/apollographql/router/commit/9e9527c73c...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 21, 2024
Vulnerability Reserved
Mar 4, 2024

JSON

Apollographql

What is CVE-2024-28101?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.