Apollo Router Excessive Resource Consumption Vulnerability via Named Fragment Queries

A denial-of-service vulnerability has been identified in Apollo Router versions prior to 1.61.2 and 2.1.1. This issue arises from the query planning process, where deeply nested and reused named fragments are expanded multiple times, leading to exponential resource consumption. The vulnerability is present in the Apollo Router Core, which is designed to manage a federated supergraph using Apollo Federation 2.

Impact

Exploitation of this vulnerability can cause significant resource exhaustion, leading to a denial-of-service condition where the router becomes inoperable.

Reproduction

The vulnerability can be reproduced by sending queries that include deeply nested and reused named fragments. During the query planning phase, the named fragments will be expanded once for each fragment spread, causing a dramatic increase in resource usage. This behavior can be observed in the query planning metrics, which will show excessive memory consumption and allocation counts.

Remediation

Users can upgrade to Apollo Router versions 1.61.2 or 2.1.1 to address this vulnerability. Additionally, Apollo Router's query planning can be configured to disable the non-local selections check, but this is not recommended unless necessary.