CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
EPSS
Percentile
26.1%
@apollo/gateway and @apollo/query-planner are vulnerable to Uncontrolled Recursion. The vulnerability is due to the query planner potentially entering an infinite loop when processing sufficiently complex queries, leading to unbounded memory consumption and possible system crashes.
github.com/advisories/GHSA-fmj9-77q8-g6c4
github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4
github.com/apollographql/router/commit/e309c9bb5a48c1304ff69c88b7eabdd08c26bf45
github.com/apollographql/router/pull/5892
www.apollographql.com/docs/federation/query-plans
www.apollographql.com/docs/router/configuration/persisted-queries