CVE-2024-28101

Name of the Vulnerable Software and Affected Versions Apollo Router versions 0.9.5 through 1.40.2

Description The Apollo Router is subject to a Denial-of-Service (DoS) type issue. When receiving compressed HTTP payloads, affected versions of the Router evaluate the limits.http max request bytes configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory consumption while the compressed payload is expanded.

Recommendations For versions 0.9.5 through 1.40.1, upgrade to version 1.40.2 to resolve the issue. For those unable to upgrade, consider implementing mitigations at proxies or load balancers positioned in front of the Router fleet by creating limits on HTTP body upload size.