Bug in Apollo Router Could Lead to Unintended Operations

CVE-2024-32971

What is CVE-2024-32971?

The Apollo Router, part of Apollo's Federation 2 ecosystem, has a vulnerability affecting its distributed query plan caching feature. In certain scenarios, this flaw can trigger unexpected operations when executing queries, mutations, or subscriptions, potentially leading to unintended data retrieval or manipulation. Specifically, the issue resides within the cache retrieval logic, where the Router may execute a previously cached operation with modified parameters, resulting in discrepancies between expected and actual results. For instance, a query intended to fetch users of type 'ENTERPRISE' may incorrectly perform a fetch of users of type 'TRIAL', while mutations may affect incorrect user IDs. Apollo recommends users either update to version 1.45.1 or later or rollback to version 1.43.2 to avoid these risks. Furthermore, those unable to upgrade can temporarily disable distributed query plan caching as a precautionary measure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References