Apollo Router, Authorization Bypass, CVE-2024-45622 (Critical)

By /

Listen to this Post

The vulnerability in Apollo Router stems from its incorrect handling of the `@link` directive’s `imports` argument when used to rename core authorization directives (@authenticated, @requiresScopes, @policy). Apollo Federation allows subgraph schemas to use `@link(url: “https://specs.apollo.dev/federation/v2.3”, import: [{name: “@authenticated”, as: “@auth”}])` to rename a directive to avoid naming conflicts. The router’s security logic, responsible for enforcing access controls on queries, only checked for the default directive names. When a schema element was protected using a renamed directive (e.g., @auth), the router failed to recognize it as a security directive. Consequently, any query targeting a field or type protected solely by a renamed directive would bypass authorization checks entirely, granting unauthorized access to data that should have been restricted.
Platform: Apollo Router
Version: < 1.40.2
Vulnerability: Authorization Bypass
Severity: Critical
date: 2024-10-15

Prediction: Patched 2024-10-15

What Undercode Say:

curl -X POST http://localhost:4000/ \
-H "Content-Type: application/json" \
--data '{"query":"query { sensitiveField }"}'

supergraph.yaml
federation_version: =2.3
subgraphs:
accounts:
routing_url: http://localhost:4001
schema:
file: ./accounts.graphql

accounts.graphql (Vulnerable)
extend schema @link(url: "https://specs.apollo.dev/federation/v2.3", import: [{name: "@authenticated", as: "@auth"}])
type Query {
sensitiveData: String! @auth
}

How Exploit:

Craft queries targeting fields protected by renamed directives like @auth. The router ignores the directive, returning unauthorized data.

Protection from this CVE:

Upgrade to Router version 1.40.2 or later. Immediately remove all renames for @authenticated, @requiresScopes, and `@policy` directives in your subgraph schemas.

Impact:

Unauthorized data access, complete bypass of element-level security controls on GraphQL types and fields.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top