CVE-2024-28101: Apollo Router's Compressed Payloads do not respect HTTP Payload Limits

March 6, 2024

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the limits.http_max_request_bytes configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory consumption while the compressed payload is expanded.

References

github.com/advisories/GHSA-cgqf-3cq5-wvcj
github.com/apollographql/router
github.com/apollographql/router/commit/9e9527c73c8f34fc8438b09066163cd42520f413
github.com/apollographql/router/security/advisories/GHSA-cgqf-3cq5-wvcj
nvd.nist.gov/vuln/detail/CVE-2024-28101

Detect and mitigate CVE-2024-28101 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →