Lucene search

Veracode Vulnerability DatabaseVERACODE:48619

HistoryAug 28, 2024 - 7:32 p.m.

Uncontrolled Recursion

2024-08-2819:32:09

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

uncontrolled recursion

@apollo/gateway

@apollo/query-planner

query planner

infinite loop

memory consumption

system crashes

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

26.1%

JSON

@apollo/gateway and @apollo/query-planner are vulnerable to Uncontrolled Recursion. The vulnerability is due to the query planner potentially entering an infinite loop when processing sufficiently complex queries, leading to unbounded memory consumption and possible system crashes.

References

github.com/advisories/GHSA-fmj9-77q8-g6c4

github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4

github.com/apollographql/router/commit/e309c9bb5a48c1304ff69c88b7eabdd08c26bf45

github.com/apollographql/router/pull/5892

www.apollographql.com/docs/federation/query-plans

www.apollographql.com/docs/router/configuration/persisted-queries

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

26.1%

JSON

Related for VERACODE:48619