CVE Tools
Sign in

CVE-2024-43783

Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies

Published: Aug 27, 2024Updated: Sep 12, 2024 Sources: CVE List NVD GHSACWE-770
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.9%
Top 46.4%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions >=1.21.0 and < 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. Instances of the Apollo Router running versions >=1.7.0 and <1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance).

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:NA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-770

Affected Products

apollo-routerapollographql
Mixed
Cloud & SaaS / api-gateway
apollo helms-charts routerapollographql
Mixed
Cloud & SaaS / api-gateway
apollo routerapollographql
Mixed
Cloud & SaaS / api-gateway
apollo-routercrates.ioOSS Libraries
routerapollographql
Mixed
Cloud & SaaS / api-gateway
apollographqlcommercialCloud & SaaSaka apollo router, federation
crates.iopackage-ecosystemOSS Libraries

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

1 technique
Impact
View detailed technique mapping

References

https://github.com/apollographql/router/commit/7a9c020608a62dcaa306b72ed0f6980f15923b14
github.com
https://github.com/apollographql/router/releases/tag/v1.52.1
github.com
https://github.com/apollographql/router/security/advisories/GHSA-x6xq-whh3-gg32
github.com
and 5 more references View all →

Timeline

Published
Aug 27, 2024
Last Updated
Sep 12, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-43783 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows