Primary

Context

Apollo Gateway Excessive Resource Consumption Vulnerability via Named Fragment Expansion

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Apollo Gateway versions prior to 2.10.1. This issue arises from the query planning process, where deeply nested and reused named fragments are expanded multiple times, leading to exponential resource consumption. As a result, certain query patterns can cause excessive resource usage, rendering the gateway inoperable.

Impact

Exploitation of this vulnerability can lead to excessive resource consumption, causing the Apollo Gateway to become inoperable.

Remediation

Users can upgrade to Apollo Gateway version 2.10.1 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

8.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

8.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apollo Gateway Excessive Resource Consumption Vulnerability via Named Fragment Expansion

Vulnerability

Impact

Remediation

Affected Products

@apollo/gateway

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating