CVE-2024-43414

Name of the Vulnerable Software and Affected Versions @apollo/query-planner versions 2.0.0 through 2.8.4 @apollo/gateway versions 2.0.0 through 2.8.4 Apollo Router versions prior to 1.52.1

Description The issue is a denial-of-service vulnerability that can cause the Apollo query planner to loop infinitely and never complete, resulting in unbounded memory consumption and either a crash or out-of-memory termination. This can be triggered if there is at least one non-@key field that can be resolved by multiple subgraphs. The mechanism to identify shared fields varies based on the version of Federation being used. In Javascript, if the number of query plan permutations exceeds Number.MAX VALUE, it is represented as “infinity”, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary.

Recommendations For @apollo/query-planner versions 2.0.0 through 2.8.4, update to version 2.8.5. For @apollo/gateway versions 2.0.0 through 2.8.4, update to version 2.8.5. For Apollo Router versions prior to 1.52.1, update to version 1.52.1. As a temporary workaround, ensure there are no fields resolvable from multiple subgraphs. If all subgraphs are using Federation 2, confirm that none of the subgraph schemas use the @shareable directive. If using Federation 1 subgraphs, validate that there are no fields resolvable by multiple subgraphs. Apollo customers with an enterprise entitlement using the Apollo Router can also mitigate much of the risk from this issue by implementing Apollo’s Persisted Queries (PQ) feature.