Apollo Router Operation Limits Bypass Vulnerability Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in the Apollo Router prior to versions 1.61.2 and 2.1.1. The issue arises in the operation limits plugin, which uses unsigned 32-bit integers to track limit counters, such as a query's height. If a counter exceeded the maximum value for this data type, it wrapped around to zero, unintentionally allowing queries to bypass configured thresholds. This vulnerability could be exploited by large queries with increased payload limits or by smaller queries with deeply nested and reused named fragments.

Impact

Exploitation of this vulnerability could lead to a denial-of-service condition, causing the router to become inoperable due to uncontrolled resource consumption.

Reproduction

To reproduce this vulnerability, send a query that either exceeds the default payload limit or is small but contains deeply nested and reused named fragments. Ensure that the Apollo Router is running a version prior to the patched releases and that the 'persisted_queries' settings are not enabled.

Remediation

Update Apollo Router to version 1.61.2 or 2.1.1. If using a version prior to 2.1.1, enable 'persisted_queries.safelist' and 'persisted_queries.safelist.require_id'.