CVE-2024-43414 – Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries

https://notcve.org/view.php?id=CVE-2024-43414

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions >=2.0.0 and < 2.8.5 and Apollo Router <1.52.1 are also impacted through their use of @apollo/query-panner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. • https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4 https://www.apollographql.com/docs/federation/query-plans https://www.apollographql.com/docs/router/configuration/persisted-queries • CWE-674: Uncontrolled Recursion •