Login Sign Up

CVE-2023-41317

7.5 HIGH
Denial of Service

📋 TL;DR

A Denial-of-Service vulnerability in Apollo Router versions 1.28.0-1.29.0 causes the router to crash and terminate when specific conditions are met with GraphQL subscriptions. This affects organizations running Apollo Router with subscriptions enabled and a supergraph schema containing subscription types. The vulnerability can be triggered by sending an anonymous subscription operation.

💻 Affected Systems

Products:
  • Apollo Router
Versions: 1.28.0, 1.28.1, 1.29.0
Operating Systems: All platforms running Apollo Router
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when all four conditions are met: running affected version, supergraph has subscription type, subscriptions enabled in config, and receiving anonymous subscription operation.

📦 What is this software?

Apollo Router by Apollographql

View all CVEs affecting Apollo Router →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage where Apollo Router crashes and stops processing all GraphQL operations, requiring manual restart of the service.

🟠

Likely Case

Intermittent service disruptions when anonymous subscription operations are sent to vulnerable configurations, causing router restarts.

🟢

If Mitigated

No impact if subscriptions are disabled or if running patched version 1.29.1+.

🌐 Internet-Facing: MEDIUM - Requires specific configuration (subscriptions enabled) and anonymous subscription operations, but can be triggered by any client.
🏢 Internal Only: MEDIUM - Same technical risk but limited to internal clients; still causes service disruption.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a specific GraphQL subscription operation but no authentication or special privileges needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.29.1

Vendor Advisory: https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx

Restart Required: Yes

Instructions:

1. Stop Apollo Router service. 2. Update to version 1.29.1 using your package manager or download from releases. 3. Restart Apollo Router service.

🔧 Temporary Workarounds

Disable GraphQL Subscriptions

all

If subscriptions are not required, disable them in the router configuration to prevent exploitation.

Edit router configuration YAML to ensure subscriptions are not enabled or set enabled: false

🧯 If You Can't Patch

  • Disable GraphQL subscriptions in router configuration if not required
  • Implement WAF rules to block anonymous subscription operations at network perimeter

🔍 How to Verify

Check if Vulnerable:

Check Apollo Router version and configuration: 1. Verify version is 1.28.0, 1.28.1, or 1.29.0. 2. Check if subscriptions are enabled in YAML config. 3. Verify supergraph schema contains subscription type.

Check Version:

apollo-router --version

Verify Fix Applied:

Confirm Apollo Router version is 1.29.1 or later using version check command.

📡 Detection & Monitoring

Log Indicators:

  • Router panic messages in logs
  • Process termination/crash logs
  • Error messages related to subscription handling

Network Indicators:

  • Anonymous GraphQL subscription operations
  • Sudden service unavailability after subscription requests

SIEM Query:

source="apollo-router" AND (panic OR crash OR termination) AND subscription

📊 Metadata

CVE ID: CVE-2023-41317
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-755
Published: September 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41317, you might also want to check these:

CVE-2022-48328 9.8

This vulnerability in MISP (Malware Information Sharing Platform) allows SQL injection through misha...

Same vulnerability type (CWE-755)
CVE-2021-43272 9.8

This vulnerability allows remote code execution through malicious DWF files in Open Design Alliance ...

Same vulnerability type (CWE-755)
CVE-2022-23121 9.8

CVE-2022-23121 is a critical remote code execution vulnerability in Netatalk's AppleDouble parsing f...

Same vulnerability type (CWE-755)