Apollo Router Vulnerability: Denial of Service Through External Coprocessors and Custom-Developed Native Rust Plugins

CVE-2024-43783

What is CVE-2024-43783?

The Apollo Router Core, known for its high-performance capabilities in managing federated supergraphs via Apollo Federation 2, presents a denial of service vulnerability that arises under specific configurations. Instances of the router running versions from 1.21.0 to 1.52.1 may experience memory overload if configured to support External Coprocessing and send request bodies to coprocessors. This configuration is not the default and must be explicitly set by administrators. Additionally, earlier versions (1.7.0 to 1.52.1) can be affected if they employ custom Native Rust Plugins that interact directly with the Request.router_request, particularly if they do not adhere to HTTP size-limiting rules. By default, the router limits request body sizes to 2 MB, which can be bypassed in vulnerable configurations. To mitigate the risk, users are encouraged to upgrade to Apollo Router 1.52.1 or implement alternative mitigation strategies, such as adjusting the coprocessor.router.request.body option or enforcing maximum sizes in custom plugins.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References