How the CVE Works
The vulnerability in Apollo Gateway arises during query planning when processing GraphQL queries containing deeply nested and repeatedly reused named fragments. The query planner expands named fragments once per fragment spread, leading to exponential resource consumption. Attackers can craft malicious queries with recursive or excessively nested fragments, causing the Gateway to allocate excessive CPU and memory. This results in denial of service (DoS) by exhausting system resources. The issue stems from inefficient fragment expansion logic in `@apollo/gateway` versions before 2.10.1, where no limits were enforced on fragment expansion depth or repetition.
DailyCVE Form
Platform: Apollo Gateway
Version: <2.10.1
Vulnerability: DoS via fragments
Severity: High
Date: 2025-04-07
What Undercode Say:
Exploitation:
- Craft a malicious GraphQL query with recursive fragments:
query { ...FragmentA } fragment FragmentA on Query { ...FragmentA field } - Send the query repeatedly to overwhelm the Gateway.
Detection:
1. Monitor CPU/memory spikes during query planning.
2. Log large or nested fragment usage:
gateway.metrics.fragmentExpansionLimitExceeded?.count()
Mitigation:
1. Upgrade to `@apollo/[email protected]+`.
2. Enforce query depth limits:
new ApolloGateway({
experimental_approximateQueryPlanStoreMetrics: true,
queryPlannerConfig: { fragmentExpansionLimit: 100 }
});
3. Rate-limit complex queries:
location /graphql {
limit_req zone=graphql burst=10;
}
Analytics:
- Impact: High (CPU/memory exhaustion).
- Attack Vector: Remote, unauthenticated.
- Patch Priority: Immediate.
References:
References:
Reported By: https://github.com/advisories/GHSA-q2f9-x4p4-7xmh
Extra Source Hub:
Undercode
