CVE-2024-43414

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1...

CVE-2024-23841

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input e.g. by redirecting...

CVE-2024-28101

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service DoS type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the...

Malicious code in react-native-apollo-devtools (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 643d99775fbe5d1e11235967329b1d9bfdd5f173b113db79c998b0ea7f2b7b3c The OpenSSF Package Analysis project identified 'react-native-apollo-devtools' @ 1.0.0 npm as malicious. It is considered malicious because: - T...

CVE-2024-49581

Restricted Views backed objects OSV1 could be bypassed under specific circumstances due to a software bug, this could have allowed users that didn't have permission to see such objects to view them via Object Explorer directly. This software bug did not impact or otherwise make data available...

CVE-2024-49581 Access control issue impacting RV backed objects

Restricted Views backed objects OSV1 could be bypassed under specific circumstances due to a software bug, this could have allowed users that didn't have permission to see such objects to view them via Object Explorer directly. This software bug did not impact or otherwise make data available...

CVE-2024-49581 Access control issue impacting RV backed objects

Restricted Views backed objects OSV1 could be bypassed under specific circumstances due to a software bug, this could have allowed users that didn't have permission to see such objects to view them via Object Explorer directly. This software bug did not impact or otherwise make data available...

CVE-2024-49581

CVE-2024-49581 affects Palantir Foundry (Apollo-managed Foundry instances). A software bug in Restricted Views backed objects (OSV1) could be bypassed under specific circumstances, allowing users without permission to view such objects via the Object Explorer. The issue did not enable cross-organ...

More Details on Israel Sabotaging Hezbollah Pagers and Walkie-Talkies

The Washington Post has a long and detailed story about the operation that's well worth reading alternate version here. The sales pitch came from a marketing official trusted by Hezbollah with links to Apollo. The marketing official, a woman whose identity and nationality officials declined to...

apollo-gateway-rs (>=0.7.5 <=0.7.6), aqlgen (>=0.1.0 <=0.8.0) +82 more potentially affected by CVE-2024-47614 via async-graphql (>=1.13.4 <=6.0.11)

async-graphql CARGO version =1.13.4, =0.7.5, =0.1.0, =0.1.0, =0.1.0, =0.0.1-alpha+3, =0.1.0, =2.9.13, =4.0.3, =0.1.0-beta.0, =2.9.12, =0.2.0, =1.14.10, =0.1.0, =0.4.4 and more Source cves: CVE-2024-47614 Source advisory: OSV:GHSA-5GC2-7C65-8FQ8...

Malicious code in apollo-client-error-template (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis fe552e4b70220e1bb21d16486e988a993baf13fe78babd1d269cea3a7a765954 The OpenSSF Package Analysis project identified 'apollo-client-error-template' @ 2.0.0 npm as malicious. It is considered malicious because: - T...

MAL-2024-9008 Malicious code in apollo-client-error-template (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis fe552e4b70220e1bb21d16486e988a993baf13fe78babd1d269cea3a7a765954 The OpenSSF Package Analysis project identified 'apollo-client-error-template' @ 2.0.0 npm as malicious. It is considered malicious because: - T...

Uncontrolled Recursion

@apollo/gateway and @apollo/query-planner are vulnerable to Uncontrolled Recursion. The vulnerability is due to the query planner potentially entering an infinite loop when processing sufficiently complex queries, leading to unbounded memory consumption and possible system crashes...

CVE-2024-43783

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions =1.21.0 and =1.7.0 and 1.52.1 are impacted by a denial-of-service vulnerability if all of the...

CVE-2024-43414

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1...

GHSA-X6XQ-WHH3-GG32 Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies

Impact Instances of the Apollo Router using either of the following may be impacted by a denial-of-service vulnerability. 1. External Coprocessing with specific configurations; or 2. Native Rust Plugins accessing the Router request body in the RouterService layer Router customizations using Rhai...

Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies

Impact Instances of the Apollo Router using either of the following may be impacted by a denial-of-service vulnerability. 1. External Coprocessing with specific configurations; or 2. Native Rust Plugins accessing the Router request body in the RouterService layer Router customizations using Rhai...

inigo-rs (>=0.1.5 <=0.27.8) potentially affected by CVE-2024-43414 via apollo-router (=1.2.1)

apollo-router CARGO version =1.2.1 is affected by a known vulnerability. The following packages have a transitive dependency on apollo-router and may be impacted: - inigo-rs =0.1.5, =0.27.8 Source cves: CVE-2024-43414 Source advisory: OSV:GHSA-FMJ9-77Q8-G6C4...

Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries

Impact Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1 are also impacted through their use of @apollo/query-planner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded...

@faasjs/graphql-server (>=0.0.2-beta.4 <=0.0.2-beta.253), @galdirik/common (>=1.0.52 <=1.1.42) +69 more potentially affected by CVE-2024-43414 via @apollo/gateway (>=2.0.1 <=2.8.4)

@apollo/gateway NPM version =2.0.1, =0.0.2-beta.4, =1.0.52, =1.7.3, =3.0.5, =3.0.4, =0.2.0, =0.11.46, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =8.6.7, =6.0.0-dev.156-swarm.1, =0.7.0-alpha.3, =0.7.32 and more Source cves: CVE-2024-43414 Source advisory: OSV:GHSA-FMJ9-77Q8-G6C4...