Asymmetric denial of service In apollo-router
Description
Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions
Impact
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the @defer or Subscriptions, the Router will panic.
To be vulnerable, users of Router must have a coprocessor with coprocessor.supergraph.response configured in their router.yaml and also to support either @defer or Subscriptions.
Patches
Router version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue.
Workarounds
For affected versions, avoid using the coprocessor supergraph response:
# do not use this stage in your coprocessor configuration coprocessor: supergraph: response:
Or you can disable defer and subscriptions support:
# disable defer and subscriptions: supergraph: defer_support: false # enabled by default subscription: enabled: false # disabled by default
and continue to use the coprocessor supergraph response.
References
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 cargo | 1.33.0 |
Aliases
References