CVE-2024-32971

Name of the Vulnerable Software and Affected Versions Apollo Router versions 1.44.0 through 1.45.0

Description The issue stems from a bug in Apollo Router’s cache retrieval logic. When distributed query planning caching is enabled, asking the Router to execute an operation may result in an unexpected variation of that operation being executed or the generation of unexpected errors. This can lead to unintended data or effects, such as fetching incorrect results for a query or sending incorrect mutations to underlying subgraph servers. For example, rather than running fetchUsers(type: ENTERPRISE), the Router may run fetchUsers(type: TRIAL). For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers, such as sending deleteUser(id: 12) instead of deleteUser(id: 10).

Recommendations To resolve the issue, upgrade to version 1.45.1 or above of the Apollo Router. As an alternative, downgrade to version 1.43.2 of the Apollo Router. If unable to upgrade or downgrade, disable distributed query plan caching by removing the supergraph.query planning.cache.redis.urls configuration to mitigate the issue.