Infinite Loop in Apollo Federation Due to Exhaustive Query Planning
CVE-2024-43414

7.5HIGH

Key Information:

Vendor

Apollographql

Status
Federation
Vendor
CVE Published:
27 August 2024

What is CVE-2024-43414?

Apollo Federation provides a flexible architecture for combining APIs into a cohesive graph, allowing teams to manage their API components independently. However, a vulnerability in the @apollo/query-planner component can lead to denial-of-service (DoS) incidents when an overly complex query is processed. This vulnerability may cause the query planner to enter an infinite loop, consuming unbounded memory and subsequently leading to application crashes or out-of-memory terminations. Specifically, complications arise when certain fields can be resolved from multiple subgraphs, demanding careful schema reviews to identify shared fields. The risk escalates when using versions of @apollo/query-planner, @apollo/gateway, or Apollo Router that fall within specified ranges, necessitating immediate upgrades to mitigate potential impacts.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

federation >= 2.0.0, < 2.8.5 < 2.0.0, 2.8.5

federation < 1.52.1 < 1.52.1

References

https://github.com/apollographql/federation/security/advi...
x_refsource_CONFIRM
https://www.apollographql.com/docs/federation/query-plans
x_refsource_MISC
https://www.apollographql.com/docs/router/configuration/p...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.