CVE-2024-28101 – The Apollo Router versions 0.9.5 through 1.40.1... (How to Fix)

Q: What is the severity of CVE-2024-28101?

CVE-2024-28101 has a CVSS score of 7.5 (HIGH). The Apollo Router versions 0.9.5 through 1.40.1 have a DoS vulnerability where highly compressed HTTP payloads cause excessive memory consumption during decompression before size limits are enforced. This affects all deployments using these vulnerable versions, potentially allowing attackers to crash or degrade router performance.

📋 TL;DR

The Apollo Router versions 0.9.5 through 1.40.1 have a DoS vulnerability where highly compressed HTTP payloads cause excessive memory consumption during decompression before size limits are enforced. This affects all deployments using these vulnerable versions, potentially allowing attackers to crash or degrade router performance.

💻 Affected Systems

Products:

Apollo Router

Versions: 0.9.5 through 1.40.1

Operating Systems: All platforms running Apollo Router

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using vulnerable versions with HTTP compression enabled are affected.

📦 What is this software?

Apollo Router by Apollographql

View all CVEs affecting Apollo Router →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage due to memory exhaustion, causing router crashes and unavailability of GraphQL services.

🟠

Likely Case

Performance degradation and intermittent service disruptions from memory pressure and resource exhaustion.

🟢

If Mitigated

Minimal impact with proper request size limits at proxy layers or upgraded router versions.

🌐 Internet-Facing: HIGH - Internet-facing routers are directly exposed to malicious payloads from untrusted sources.

🏢 Internal Only: MEDIUM - Internal routers could still be targeted by compromised internal systems or malicious insiders.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted compressed HTTP payloads but is straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.40.2

Vendor Advisory: https://github.com/apollographql/router/security/advisories/GHSA-cgqf-3cq5-wvcj

Restart Required: Yes

Instructions:

1. Update Apollo Router to version 1.40.2 or later. 2. Restart the router service. 3. Verify the new version is running.

🔧 Temporary Workarounds

Configure HTTP request size limits at proxy

all

Implement request body size limits in frontend proxies like Nginx or HAProxy to block oversized requests before they reach the router.

# Nginx example: client_max_body_size 10m;
# HAProxy example: tune.bufsize 10485760

🧯 If You Can't Patch

Deploy WAF or proxy layer with strict HTTP body size limits before requests reach vulnerable routers.
Disable HTTP compression support in router configuration if feasible for your use case.

🔍 How to Verify

Check if Vulnerable:

Check Apollo Router version: if between 0.9.5 and 1.40.1 inclusive, system is vulnerable.

Check Version:

apollo-router --version

Verify Fix Applied:

Confirm router version is 1.40.2 or later and test with compressed payloads while monitoring memory usage.

📡 Detection & Monitoring

Log Indicators:

Unusual memory consumption spikes
Router crash/restart logs
Large compressed request logs

Network Indicators:

Large compressed HTTP POST requests to router endpoints
Abnormal request patterns with high compression ratios

SIEM Query:

source="apollo-router" AND (memory_usage>90% OR "panic" OR "restart")

📊 Metadata

CVE ID: CVE-2024-28101

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-409

Published: March 21, 2024

Last Updated: January 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28101, you might also want to check these: