Prototype Pollution

Overview @apollo/query-planner is an Apollo Query Planner Affected versions of this package are vulnerable to Prototype Pollution through incomplete sanitization of input in the query plan execution. An attacker can manipulate the Object.prototype in the gateway by crafting operations with field...

2mxdev-gql-gateway (=1.0.0), @2mxdev/gql-gateway (>=1.0.0 <=4.0.2) +209 more potentially affected by CVE-2026-32621 via @apollo/query-planner (>=0.0.11 <=2.9.5)

@apollo/query-planner NPM version =0.0.11, =1.0.0, =0.24.2, =1.0.0, =0.0.1-feature-ci-publish.2, =0.0.1-feature-ci-publish.2, =0.6.5, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =0.0.22 and more Source cves: CVE-2026-32621 Source advisory: OSV:GHSA-PFJJ-6F4P-RVMH...

@apollo/gateway (>=2.0.0 <=2.14.0), @dfanchon/gateway (=2.11.0) +72 more potentially affected by CVE-2026-32621 via @apollo/query-planner (>=2.10.0-alpha.0 <=2.9.5)

@apollo/query-planner NPM version =2.10.0-alpha.0, =2.0.0, =0.0.2-beta.4, =1.0.52, =1.7.3, =3.0.5, =3.0.4, =0.2.0, =0.11.46, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =8.6.7, =11.5.0 and more Source cves: CVE-2026-32621 Source advisory: SNYK:JS-APOLLOQUERYPLANNER-15612460...

Uncontrolled Recursion

@apollo/gateway and @apollo/query-planner are vulnerable to Uncontrolled Recursion. The vulnerability is due to the query planner potentially entering an infinite loop when processing sufficiently complex queries, leading to unbounded memory consumption and possible system crashes...

CVE-2024-43414

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1...

Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries

Impact Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1 are also impacted through their use of @apollo/query-planner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded...

@apollo/gateway (>=2.0.0 <=2.14.0), @dfanchon/gateway (=2.11.0) +72 more potentially affected by CVE-2024-43414 via @apollo/query-planner (>=2.10.0-alpha.0 <=2.8.4)

@apollo/query-planner NPM version =2.10.0-alpha.0, =2.0.0, =0.0.2-beta.4, =1.0.52, =1.7.3, =3.0.5, =3.0.4, =0.2.0, =0.11.46, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =8.6.7, =11.5.0 and more Source cves: CVE-2024-43414 Source advisory: OSV:GHSA-FMJ9-77Q8-G6C4...

CVE-2024-43414

CVE-2024-43414 affects Apollo Federation components: @apollo/query-planner (v2.0.0–=2.0.0 and &lt;2.8.5) and Apollo Router (

CVE-2024-43414 Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1...

PT-2024-30572 · Apollo · Apollo Gateway +2

Name of the Vulnerable Software and Affected Versions: @apollo/query-planner versions 2.0.0 through 2.8.4 @apollo/gateway versions 2.0.0 through 2.8.4 Apollo Router versions prior to 1.52.1 Description: The issue is a denial-of-service vulnerability that can cause the Apollo query planner to loop...