How the CVE Works:
The vulnerability in Apollo Router stems from inefficient query validation when processing deeply nested and reused named fragments in GraphQL queries. During validation, the Apollo Compiler reprocessed the same named fragments multiple times—once per fragment spread—instead of caching or processing them once. This caused exponential resource consumption when handling complex queries with recursive fragment references. Attackers could exploit this by sending maliciously crafted queries with excessive nesting, leading to CPU/memory exhaustion and denial of service (DoS). The issue was resolved by optimizing fragment validation to process each fragment only once.
DailyCVE Form:
Platform: Apollo Router
Version: <1.61.2, <2.1.1
Vulnerability: DoS via fragment reuse
Severity: High
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
- Craft a malicious GraphQL query with recursive fragments:
query Attack { ...FragmentA } fragment FragmentA on Query { ...FragmentA field1 } - Send repeatedly to Apollo Router to trigger CPU/memory exhaustion.
Protection:
- Patch: Upgrade to Apollo Router v1.61.2+ or v2.1.1+.
2. Rate Limiting: Implement query complexity limits:
Apollo Router config limits: max_depth: 10 max_aliases: 15
3. Persisted Queries: Enforce safelisting with IDs only:
curl -X POST -H "Content-Type: application/json" \
-d '{"query": "query { __typename }"}' \
http://router/graphql
Detection:
- Monitor for abnormal CPU spikes during query validation.
- Log fragmented queries exceeding depth thresholds:
Sample log analysis if "fragment" in query and query.count("...") > 50: block_request()
Mitigation Commands:
- Kubernetes rollout (if deployed):
kubectl set image deployment/apollo-router router=apollo/router:2.1.1
- Docker update:
docker pull apollo/router:2.1.1 && docker restart apollo-router
References:
- Apollo Router Changelog: [bash]
- GraphQL Security Best Practices: [bash]
References:
Reported By: https://github.com/advisories/GHSA-3j43-9v8v-cp3f
Extra Source Hub:
Undercode
