Apollo Router
CVE-2023-41317
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. It can be triggered when all of the following conditions are met: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 ("impacted versions"); and 2. The Supergraph schema provided to the Router (either via Apollo Uplink or explicitly via other configuration) has a subscription type with root-fields defined; and 3. The YAML configuration provided to the Router has subscriptions enabled (they are _disabled_ by default), either by setting enabled: true _or_ by setting a valid mode within the subscriptions object (as seen in subscriptions' documentation); and 4. An anonymous (i.e., un-named) subscription operation (e.g., subscription { ... }) is received by the Router If all four of these criteria are met, the impacted versions will panic and terminate. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability. This is fixed in Apollo Router v1.29.1. Users are advised to upgrade. Updating to v1.29.1 should be a clear and simple upgrade path for those running impacted versions. However, if Subscriptions are not necessary for your Graph - but are enabled via configuration - then disabling subscriptions is another option to mitigate the risk.
AnalysisAI
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
Technical ContextAI
This vulnerability is classified under CWE-755. The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. It can be triggered when all of the following conditions are met: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 ("impacted versions"); and 2. The Supergraph schema provided to the Router (either via Apollo Uplink or explicitly via other configuration) has a subscription type with root-fields defined; and 3. The YAML configuration provided to the Router has subscriptions enabled (they are _disabled_ by default), either by setting enabled: true _or_ by setting a valid mode within the subscriptions object (as seen in subscriptions' documentation); and 4. An anonymous (i.e., un-named) subscription operation (e.g., subscription { ... }) is received by the Router If all four of these criteria are met, the impacted versions will panic and terminate. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability. This is fixed in Apollo Router v1.29.1. Users are advised to upgrade. Updating to v1.29.1 should be a clear and simple upgrade path for those running impacted versions. However, if Subscriptions are not necessary for your Graph - but are enabled via configuration - then disabling subscriptions is another option to mitigate the risk. Affected products include: Apollographql Apollo Router.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Apollo Router
View allThe Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph th
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Rated high severity (CVSS 7.
The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Rated hig
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that us
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today