Apollo Router Vulnerable to Denial-of-Service (DoS) Attacks
CVE-2024-28101

7.5HIGH

Key Information:

Vendor: Apollographql
Status: Router
Vendor: CVE Published:; 21 March 2024

🔔 Create Apollographql Vulnerability Alert

What is CVE-2024-28101?

The Apollo Router, developed in Rust for navigating a federated supergraph using Apollo Federation, is susceptible to a Denial-of-Service vulnerability in versions ranging from 0.9.5 to 1.40.2. This vulnerability arises when the Router processes compressed HTTP payloads, evaluating the configuration setting limits.http_max_request_bytes only after the complete payload is decompressed. As a result, if the Router receives a highly compressed payload, it can lead to excessive memory usage during decompression, potentially causing service disruptions. Version 1.40.2 has addressed this issue. Users who cannot promptly upgrade may implement mitigations through configurations at proxies, load balancers, or cloud-native WAF services, setting limits on the size of HTTP body uploads.

Affected Version(s)

router >= 0.9.5, < 1.40.2

References

https://github.com/apollographql/router/security/advisori...

x_refsource_CONFIRM

https://github.com/apollographql/router/commit/9e9527c73c...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2024
Vulnerability Reserved
Mar 4, 2024

CVE-2024-28101 Data

JSON