CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32380 – Apollo Router Query Validation Vulnerable to Excessive Resource Consumption via Named Fragment Processing
https://notcve.org/view.php?id=CVE-2025-32380
09 Apr 2025 — The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router's usage of Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. This could lead to excessive resource consumption and denial of service. Apollo Router's usage of Apollo Compiler has been updated so that validation logic processes each named fragment only once, p... • https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32034 – Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion
https://notcve.org/view.php?id=CVE-2025-32034
07 Apr 2025 — The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, a vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reuse... • https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32033 – Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow
https://notcve.org/view.php?id=CVE-2025-32033
07 Apr 2025 — The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query's height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit wer... • https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32032 – Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass
https://notcve.org/view.php?id=CVE-2025-32032
07 Apr 2025 — The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested a... • https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43783 – Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies
https://notcve.org/view.php?id=CVE-2024-43783
27 Aug 2024 — The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions >=1.21.0 and < 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bod... • https://github.com/apollographql/router/commit/7a9c020608a62dcaa306b72ed0f6980f15923b14 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32971 – Defect in query plan cache may cause incorrect operations to be executed in Apollo Router
https://notcve.org/view.php?id=CVE-2024-32971
02 May 2024 — Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router’s cache retrieval logic: When this defect is present and distribu... • https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529 • CWE-440: Expected Behavior Violation CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28101 – Apollo Router's Compressed Payloads do not respect HTTP Payload Limits
https://notcve.org/view.php?id=CVE-2024-28101
06 Mar 2024 — The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the `limits.http_max_request_bytes` configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory ... • https://github.com/apollographql/router/commit/9e9527c73c8f34fc8438b09066163cd42520f413 • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-45812 – Improper Check or Handling of Exceptional Conditions in apollo-router
https://notcve.org/view.php?id=CVE-2023-45812
18 Oct 2023 — The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured... • https://github.com/apollographql/router/pull/4014 • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41317 – Unnamed "Subscription" operation results in Denial-of-Service in apollographql/router
https://notcve.org/view.php?id=CVE-2023-41317
05 Sep 2023 — The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. It can be triggered when **all of the following conditions are met**: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 ("impacted versions"); **and** 2. The Supergraph schema provided to the Router (... • https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa • CWE-755: Improper Handling of Exceptional Conditions •