Apollo Server Denial-of-Service Vulnerability in Standalone Configuration

A denial-of-service vulnerability has been identified in Apollo Server versions 2.0.0 through 3.13.0, 4.2.0 prior to 4.13.0, and 5.0.0 prior to 5.4.0. The issue arises in the default configuration of the 'startStandaloneServer' function from '@apollo/server/standalone', which is susceptible to DoS attacks. This vulnerability is triggered by specially crafted request bodies that use exotic character set encodings. Notably, this issue does not affect users who utilize '@apollo/server' as a dependency for integration packages such as '@as-integrations/express5' or '@as-integrations/next', but only those who directly use 'startStandaloneServer'.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the server to become unresponsive or unavailable.

Reproduction

To reproduce this vulnerability, use Apollo Server in a standalone configuration. Send a request to the server with a body that includes an exotic character set encoding. The server will respond with a '415 Unsupported Media Type' error, indicating that the encoding is not accepted. This vulnerability can be tested by using a tool like Postman or a custom script that sends requests with the desired character set encodings.

Remediation

Users can upgrade to Apollo Server versions 4.13.0 or 5.4.0, which address this vulnerability by restricting accepted character set encodings to UTF-8, UTF-16 (little or big endian), or UTF-32 (little or big endian). After the upgrade, the server will reject any other encoding with a '415 Unsupported Media Type' error. For those using Apollo Server v2 or v3 who cannot upgrade, a temporary workaround is to switch to an integration package like 'apollo-server-express' or 'apollo-server-koa'.