Apollo Gateway, Denial of Service, CVE-2023-XXXX (Critical)

How the CVE Works

The vulnerability in Apollo Gateway arises due to inefficient handling of deeply nested and reused named fragments in GraphQL queries. The query planner’s optimization, designed to skip unnecessary selections, fails when processing such fragments, causing exponential growth in query planning time. Since no timeout is enforced, malicious or overly complex queries can exhaust system resources, leading to denial of service (DoS). Attackers exploit this by crafting queries with recursive fragment references, forcing the gateway into prolonged computation and rendering it unresponsive.

DailyCVE Form

Platform: Apollo Gateway
Version: <2.10.1
Vulnerability: DoS via query planning
Severity: Critical
Date: 2023-XX-XX

What Undercode Say:

Exploitation:

1. Craft a malicious GraphQL query with recursive fragments:

   query {
   ...FragmentA
   }
   fragment FragmentA on Query {
   ...FragmentB
   }
   fragment FragmentB on Query {
   ...FragmentA
   }
   

2. Send repeatedly to overwhelm the gateway.

Detection:

• Monitor `QueryOptimizationLimit` metrics for spikes.
• Log long-running query planning (>1s).

Protection:

1. Patch: Upgrade to Apollo Gateway 2.10.1+.

2. Rate Limiting: Implement query depth/complexity limits:

const { createComplexityLimitRule } = require('graphql-validation-complexity');
const rule = createComplexityLimitRule(1000); // Adjust threshold

3. Timeouts: Enforce query planning timeouts in Apollo config:

server:
queryPlannerTimeoutMs: 500

4. WAF Rules: Block nested fragments exceeding depth 10.

Analytics:

• Impact: High—unpatched gateways risk complete outage.
• Attack Surface: Public GraphQL endpoints.
• Mitigation Efficacy: Patching + rate limits reduce risk to low.

References:

• Apollo’s Query Planning Docs
• CVE Database: CVE-2023-XXXX

CLI Commands:

Check Apollo Gateway version:
npm list @apollo/gateway
Simulate attack (for testing):
curl -X POST -H "Content-Type: application/json" -d '{"query":"{...FragmentA}"}' http://gateway/graphql

Code Fix:

// Apollo Server setup with protections
const server = new ApolloServer({
gateway,
validationRules: [depthLimit(10)], // Prevent deep nesting
});

References:

Reported By: https://github.com/advisories/GHSA-p2q6-pwh5-m6jr
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram