Apollo Router Excessive Resource Consumption Vulnerability via Named Fragment Processing

A denial-of-service vulnerability has been identified in Apollo Router versions prior to 1.61.2 and 2.0.0-alpha.0 through 2.1.1. This vulnerability arises from the router's handling of GraphQL queries that contain deeply nested and reused named fragments. During query validation, these fragments were processed multiple times, leading to exponential resource consumption. The issue has been addressed by modifying the validation logic to process each named fragment only once, thereby preventing redundant traversal.

Impact

Exploitation of this vulnerability could cause excessive resource consumption, leading to a denial-of-service condition where the router becomes inoperable.

Reproduction

The vulnerability can be reproduced by sending GraphQL queries that include deeply nested and reused named fragments. This can be done by creating a query that references the same fragment multiple times and includes layers of fragments that are nested within each other. Ensure that the Apollo Router is running in a configuration that does not have the 'persisted_queries' options enabled, as this vulnerability has been mitigated in versions 1.61.2 and 2.1.1.

Remediation

Users can update to Apollo Router versions 1.61.2 or 2.1.1 to address this vulnerability. For those using Apollo Router 2.0.0-alpha.0, an update to 2.1.1 is recommended.