Jasonbarnett667

**Name of the Vulnerable Software and Affected Versions** Apollo Gateway versions prior to 2.10.1 **Description** The issue concerns a vulnerability that allows queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. This leads to exponential resource usage when deeply nested and reused fragments are involved, resulting in excessive resource consumption and denial of service. **Recommendations** For versions prior to 2.10.1, update to version 2.10.1 to resolve the issue. As a temporary workaround, consider restricting the use of deeply nested and reused named fragments in queries to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apollo Gateway versions prior to 2.10.1 **Description** A vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, due to internal optimizations being frequently bypassed. This could lead to excessive resource consumption and denial of service. The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections, but queries with deeply nested and reused named fragments can generate many selections where this optimization does not apply, leading to significantly longer planning times. **Recommendations** For versions prior to 2.10.1, update to version 2.10.1 to resolve the issue. As a temporary workaround, consider restricting the use of deeply nested and reused named fragments in queries to minimize the risk of excessive resource consumption and denial of service.

**Name of the Vulnerable Software and Affected Versions** Apollo Router versions 1.7.0 through 1.52.0 Apollo Router versions 1.21.0 through 1.52.0 **Description** The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router are impacted by a denial of service vulnerability if certain conditions are met, including the use of External Coprocessing or Native Rust Plugins with specific configurations. The vulnerability can cause the Router to load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations, leading to out-of-memory termination if a sufficiently large request is sent. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include: - **API Endpoints:** Not specified - **Vulnerable Parameters or Variables:** `coprocessor.router.request.body`, `limits.http max request bytes`, `Request.router request` - **Function Names:** `router service` **Recommendations** For Apollo Router versions 1.7.0 through 1.52.0, upgrade to at least Apollo Router 1.52.1. For Apollo Router versions 1.21.0 through 1.52.0 with External Coprocessing, set the `coprocessor.router.request.body` configuration option to `false` as a temporary workaround. For Apollo Router versions 1.7.0 through 1.52.0 with Native Rust Plugins, update the plugin to either not accumulate the request body or enforce a maximum body size limit. Limit HTTP body payload sizes prior to the Router, for example, in a proxy or web application firewall appliance.