How the CVE Works:
The vulnerability in Apollo Router stems from inefficient handling of GraphQL queries containing deeply nested and reused named fragments. During query planning, named fragments are expanded once per fragment spread, leading to exponential resource consumption. Attackers can craft malicious queries with recursive fragment references, causing the router to exhaust CPU and memory resources. This results in a denial of service (DoS) by overwhelming the query planner, making the service unresponsive. The issue is particularly severe in high-traffic environments where query planning latency directly impacts performance.
DailyCVE Form:
Platform: Apollo Router
Version: <1.61.2, <2.1.1
Vulnerability: DoS via fragment expansion
Severity: Critical
Date: 2024-XX-XX
What Undercode Say:
Exploitation:
1. Craft a recursive GraphQL query:
query {
...FragmentA
}
fragment FragmentA on Query {
...FragmentB
}
fragment FragmentB on Query {
...FragmentA
}
2. Send repeated malicious queries to exhaust server resources.
Protection:
1. Upgrade to Apollo Router 1.61.2 or 2.1.1.
2. Implement query cost limiting:
router.yaml limits: query_fragment_expansion: 1000
3. Enable persisted queries:
curl -X POST -H "Content-Type: application/json" \
-d '{"query": "query { __typename }"}' \
http://router/graphql
4. Monitor query complexity:
apollo_router_query_planning_fragment_expansion_limit_exceeded
5. Apply rate limiting via NGINX:
limit_req_zone $binary_remote_addr zone=graphql:10m rate=10r/s;
Analytics:
- Query depth analysis:
query { __typename ... on Query { field1 { field2 { field3 } } } } - Log fragment expansion attempts:
[tracing::instrument] fn expand_fragments(query: &str) -> Result<(), Error> { // ... }
References:
- Apollo Router Security Advisory
- GraphQL Query Complexity Analysis Tools
- CVE Database Entry
References:
Reported By: https://github.com/advisories/GHSA-75m2-jhh5-j5g2
Extra Source Hub:
Undercode
