How the CVE Works
The vulnerability in Apollo Router stems from improper handling of 32-bit unsigned integers in its operation limits plugin. When tracking query complexity metrics (e.g., query depth, node count), the plugin uses counters that increment for each operation. If a query’s complexity exceeds `4,294,967,295` (the maximum 32-bit unsigned integer value), the counter overflows and resets to 0. Attackers can craft malicious queries—either extremely large or with deeply nested fragments—to trigger this overflow, bypassing enforced query limits. This allows excessive resource consumption, potentially leading to denial-of-service (DoS) or unauthorized data access.
DailyCVE Form
Platform: Apollo Router
Version: <1.61.2, <2.1.1
Vulnerability: Integer Overflow
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
1. Craft Overflow Query:
query {
Deeply nested fragments to trigger counter overflow
...FragmentA
}
fragment FragmentA on Query { ...FragmentB }
fragment FragmentB on Query { ...FragmentA } Recursive nesting
2. Bypass Payload Limits:
curl -X POST -H "Content-Type: application/json" --data '{"query":"{__typename}"}' http://router/graphql
Protection:
1. Update Immediately:
npm update [email protected]
2. Enforce Safelisting:
router.yaml plugins: operation_limits: max_depth: 10 persisted_queries: true
3. Rate Limiting:
Use NGINX to restrict payload size
http {
client_max_body_size 1M;
}
Detection:
1. Log Analysis:
grep -r "query complexity exceeded" /var/log/apollo
2. WAF Rules:
SecRule REQUEST_BODY "@rx fragment\s+\w+\s+on" "id:1001,deny"
Mitigation Code:
// Patch example (Rust)
fn increment_counter(counter: u32) -> Option<u32> {
counter.checked_add(1) // Prevent overflow
}
References:
Analytics:
- Attack Vector: Network (GraphQL API)
- CVSS: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- Affected Configs: Default operation_limits plugin enabled.
References:
Reported By: https://github.com/advisories/GHSA-84m6-5m72-45fp
Extra Source Hub:
Undercode
