CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32031 – Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass
https://notcve.org/view.php?id=CVE-2025-32031
07 Apr 2025 — Apollo Gateway provides utilities for combining multiple GraphQL microservices into a single GraphQL endpoint. Prior to 2.10.1, a vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested and reused named frag... • https://github.com/apollographql/federation/pull/3236 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32030 – Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion
https://notcve.org/view.php?id=CVE-2025-32030
07 Apr 2025 — Apollo Gateway provides utilities for combining multiple GraphQL microservices into a single GraphQL endpoint. Prior to 2.10.1, a vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to e... • https://github.com/apollographql/federation/pull/3236 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43414 – Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries
https://notcve.org/view.php?id=CVE-2024-43414
27 Aug 2024 — Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions >=2.0.0 and < 2.8.5 and Apollo Router <1.52.1 are also impacted through their use of @apollo/query-panner. If @apollo/query-planner is asked to plan a sufficiently complex q... • https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4 • CWE-674: Uncontrolled Recursion •