Apollo Router Excessive Resource Consumption Vulnerability via Fragment Optimization Bypass

A denial-of-service vulnerability has been identified in Apollo Router versions prior to 1.61.2 and 2.0.0-alpha.0 through 2.1.1. This issue arises in the query planner, which includes an optimization to enhance the performance of certain GraphQL selections. However, queries that utilize deeply nested and reused named fragments can create a high number of selections where this optimization is ineffective, resulting in significantly prolonged query planning times. The lack of a timeout in the query planner allows a small number of such queries to deplete the router's thread pool, causing it to become unresponsive. All prior-released versions and configurations are vulnerable except those where 'persisted_queries.enabled', 'persisted_queries.safelist.enabled', and 'persisted_queries.safelist.require_id' are all 'true'.

Impact

Exploitation of this vulnerability leads to excessive resource consumption, causing the router to become inoperable.

Reproduction

To reproduce this vulnerability, send a GraphQL query that includes deeply nested and reused named fragments. Ensure that the request is not covered by the 'persisted_queries' safelist' and that the 'persisted_queries.safelist.require_id' is set to 'false'.

Remediation

Update to Apollo Router version 1.61.2 or 2.1.1. If using a version within the 2.0.0-alpha range, ensure that 'persisted_queries.enabled', 'persisted_queries.safelist.enabled', and 'persisted_queries.safelist.require_id' are all set to 'true'.