GHSA-FMJ9-77Q8-G6C4 Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries

Impact Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1 are also impacted through their use of @apollo/query-planner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded...

@apollo/gateway (>=2.0.0 <=2.14.0), @dfanchon/gateway (=2.11.0) +72 more potentially affected by CVE-2024-43414 via @apollo/query-planner (>=2.10.0-alpha.0 <=2.8.4)

@apollo/query-planner NPM version =2.10.0-alpha.0, =2.0.0, =0.0.2-beta.4, =1.0.52, =1.7.3, =3.0.5, =3.0.4, =0.2.0, =0.11.46, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =8.6.7, =11.5.0 and more Source cves: CVE-2024-43414 Source advisory: OSV:GHSA-FMJ9-77Q8-G6C4...

CVE-2024-43414 Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1...

CVE-2024-43414

CVE-2024-43414 affects Apollo Federation components: @apollo/query-planner (v2.0.0–=2.0.0 and &lt;2.8.5) and Apollo Router (

CVE-2024-43414 Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1...

CVE-2024-43414 Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1...

CVE-2024-43783 Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions =1.21.0 and =1.7.0 and 1.52.1 are impacted by a denial-of-service vulnerability if all of the...

CVE-2024-43783 Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions =1.21.0 and =1.7.0 and 1.52.1 are impacted by a denial-of-service vulnerability if all of the...

CVE-2024-43783 Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions =1.21.0 and =1.7.0 and 1.52.1 are impacted by a denial-of-service vulnerability if all of the...

CVE-2024-43783

The CVE affects Apollo Router Core. If using External Coprocessing, versions 1.21.x–1.52.0 with router.request.body enabled can load entire HTTP request bodies into memory, risking OOM. If using a Native Rust Plugin, versions 1.7.0–1.51.x that access Request.router_request and accumulate the body...

Apollo Federation 安全漏洞

Apollo Federation is an architecture for the Apollo community to declaratively combine APIs into a unified graph. A security vulnerability exists in Apollo Federation, which stems from the fact that if @apollo/query-planner is asked to plan a sufficiently complex query, it may loop indefinitely a...

Apollo Router Core 安全漏洞

Apollo Router Core is a router core application for the Apollo community. A security vulnerability exists in Apollo Router Core that stems from a denial-of-service vulnerability under certain circumstances...

PT-2024-30572 · Apollo · Apollo Gateway +2

Name of the Vulnerable Software and Affected Versions: @apollo/query-planner versions 2.0.0 through 2.8.4 @apollo/gateway versions 2.0.0 through 2.8.4 Apollo Router versions prior to 1.52.1 Description: The issue is a denial-of-service vulnerability that can cause the Apollo query planner to loop...

PT-2024-30653 · Apollo · Apollo Router

Name of the Vulnerable Software and Affected Versions: Apollo Router versions 1.7.0 through 1.52.0 Apollo Router versions 1.21.0 through 1.52.0 Description: The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo...

CVE-2024-43397

Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed wit...

CVE-2024-43397 Potential unauthorized access issue in apollo-portal

Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed wit...

CVE-2024-43397 Potential unauthorized access issue in apollo-portal

Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed wit...

CVE-2024-43397 Potential unauthorized access issue in apollo-portal

Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed wit...

CVE-2024-43397

CVE-2024-43397 affects Apollo’s synchronization configuration feature in the open-source Apollo configuration management system. The vulnerability allows an attacker to bypass permission checks via crafted requests, enabling modification of a namespace without the required rights. The root cause ...

CVE-2024-42662

An issue in apollocongif apollo v.2.2.0 allows a remote attacker to obtain sensitive information via a crafted request...