Apollo Gateway Excessive Resource Consumption Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Apollo Gateway versions prior to 2.10.1. The issue arises when queries contain deeply nested and reused named fragments, which can complicate the query planning process. This complexity prevents the query planner from applying certain optimizations that typically speed up processing, resulting in significantly longer planning times. The lack of a timeout in the query planner allows a small number of such queries to disrupt gateway operations, causing excessive resource consumption and rendering the gateway inoperable.

Impact

Exploitation of this vulnerability can lead to uncontrolled resource consumption, causing the Apollo Gateway to become inoperable.

Remediation

Users can upgrade to Apollo Gateway version 2.10.1 to address this vulnerability. This version includes a new 'Query Optimization Limit' metric that helps prevent excessive computation by approximating the number of selections that cannot be optimized, thus avoiding prolonged query planning times.