Impact
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the @defer
or Subscriptions, the Router will panic.
To be vulnerable, users of Router must have a coprocessor with coprocessor.supergraph.response
configured in their router.yaml
and also to support either @defer
or Subscriptions.
Patches
Router version 1.33.0 has a fix for this vulnerability. #4014 fixes the issue.
Workarounds
For affected versions, avoid using the coprocessor supergraph response:
# do not use this stage in your coprocessor configuration
coprocessor:
supergraph:
response:
Or you can disable defer and subscriptions support:
# disable defer and subscriptions:
supergraph:
defer_support: false # enabled by default
subscription:
enabled: false # disabled by default
and continue to use the coprocessor supergraph response.
References
#4013
Impact
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the
@defer
or Subscriptions, the Router will panic.To be vulnerable, users of Router must have a coprocessor with
coprocessor.supergraph.response
configured in theirrouter.yaml
and also to support either@defer
or Subscriptions.Patches
Router version 1.33.0 has a fix for this vulnerability. #4014 fixes the issue.
Workarounds
For affected versions, avoid using the coprocessor supergraph response:
Or you can disable defer and subscriptions support:
and continue to use the coprocessor supergraph response.
References
#4013