GHSA-r344-xw3p-2frj

Suggest an improvement
Source
https://github.com/advisories/GHSA-r344-xw3p-2frj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r344-xw3p-2frj/GHSA-r344-xw3p-2frj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r344-xw3p-2frj
Aliases
Published
2023-10-19T16:08:10Z
Modified
2023-11-08T04:13:39.537132Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions
Details

Impact

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the @defer or Subscriptions, the Router will panic.

To be vulnerable, users of Router must have a coprocessor with coprocessor.supergraph.response configured in their router.yaml and also to support either @defer or Subscriptions.

Patches

Router version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue.

Workarounds

For affected versions, avoid using the coprocessor supergraph response:

# do not use this stage in your coprocessor configuration
coprocessor:
  supergraph:
    response:

Or you can disable defer and subscriptions support:

# disable defer and subscriptions:
supergraph:
  defer_support: false # enabled by default
subscription:
  enabled: false # disabled by default

and continue to use the coprocessor supergraph response.

References

https://github.com/apollographql/router/issues/4013

References

Affected packages

crates.io / apollo-router

Package

Name
apollo-router
View open source insights on deps.dev
Purl
pkg:cargo/apollo-router

Affected ranges

Type
SEMVER
Events
Introduced
1.31.0
Fixed
1.33.0