CVE-2024-43414
📋 TL;DR
A denial-of-service vulnerability in Apollo Federation's query planner allows attackers to crash GraphQL services by sending specially crafted complex queries. This affects systems using @apollo/query-planner, @apollo/gateway, or Apollo Router with specific shared field configurations. The vulnerability causes infinite loops and unbounded memory consumption leading to service crashes.
💻 Affected Systems
- @apollo/query-planner
- @apollo/gateway
- Apollo Router
📦 What is this software?
Apollo Gateway by Apollographql
Apollo Query Planner by Apollographql
Apollo Router by Apollographql
Apollo Router by Apollographql
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage with crash or OOM termination, potentially affecting all GraphQL queries and dependent services.
Likely Case
Service degradation or crashes when attackers send malicious queries, requiring service restarts and causing temporary downtime.
If Mitigated
Minimal impact with proper query complexity limits, rate limiting, and monitoring in place.
🎯 Exploit Status
Exploitation requires understanding of GraphQL schema structure and shared fields, but crafting malicious queries is straightforward once vulnerable configuration is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5, Apollo Router v1.52.1
Vendor Advisory: https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4
Restart Required: Yes
Instructions:
1. Update @apollo/query-planner to v2.8.5 or higher. 2. Update @apollo/gateway to v2.8.5 or higher. 3. Update Apollo Router to v1.52.1 or higher. 4. Restart all affected services.
🔧 Temporary Workarounds
Remove shared field configurations
allEnsure no fields are resolvable by multiple subgraphs. For Federation 2, remove @shareable directives. For Federation 1, audit schemas for overlapping field resolutions.
Implement query complexity limits
allConfigure GraphQL servers to reject queries exceeding complexity thresholds before they reach the query planner.
🧯 If You Can't Patch
- Implement strict rate limiting on GraphQL endpoints to limit query volume
- Deploy WAF rules to detect and block complex GraphQL query patterns
🔍 How to Verify
Check if Vulnerable:
Check package.json for affected versions and review subgraph schemas for shared fields. For Federation 2, search for @shareable directives. For Federation 1, manually identify fields resolvable by multiple subgraphs.Check Version:
npm list @apollo/query-planner @apollo/gateway && apollo-router --versionVerify Fix Applied:
Verify installed versions: @apollo/query-planner >=2.8.5, @apollo/gateway >=2.8.5, Apollo Router >=1.52.1. Test with complex queries that previously caused issues.📡 Detection & Monitoring
Log Indicators:
- High memory consumption spikes
- Process crashes with OOM errors
- Long-running query planner operations
- Infinity values in query planning logs
Network Indicators:
- Large/complex GraphQL queries
- Repeated query patterns targeting shared fields
- Sudden increase in query size/complexity
SIEM Query:
source="*apollo*" AND ("out of memory" OR "OOM" OR "infinity" OR "query planner")