CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32380 – Apollo Router Query Validation Vulnerable to Excessive Resource Consumption via Named Fragment Processing
https://notcve.org/view.php?id=CVE-2025-32380
09 Apr 2025 — The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router's usage of Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. This could lead to excessive resource consumption and denial of service. Apollo Router's usage of Apollo Compiler has been updated so that validation logic processes each named fragment only once, p... • https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32034 – Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion
https://notcve.org/view.php?id=CVE-2025-32034
07 Apr 2025 — The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, a vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reuse... • https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32033 – Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow
https://notcve.org/view.php?id=CVE-2025-32033
07 Apr 2025 — The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query's height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit wer... • https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32032 – Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass
https://notcve.org/view.php?id=CVE-2025-32032
07 Apr 2025 — The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested a... • https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43783 – Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies
https://notcve.org/view.php?id=CVE-2024-43783
27 Aug 2024 — The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions >=1.21.0 and < 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bod... • https://github.com/apollographql/router/commit/7a9c020608a62dcaa306b72ed0f6980f15923b14 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32971 – Defect in query plan cache may cause incorrect operations to be executed in Apollo Router
https://notcve.org/view.php?id=CVE-2024-32971
02 May 2024 — Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router’s cache retrieval logic: When this defect is present and distribu... • https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529 • CWE-440: Expected Behavior Violation CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28101 – Apollo Router's Compressed Payloads do not respect HTTP Payload Limits
https://notcve.org/view.php?id=CVE-2024-28101
06 Mar 2024 — The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the `limits.http_max_request_bytes` configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory ... • https://github.com/apollographql/router/commit/9e9527c73c8f34fc8438b09066163cd42520f413 • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 9.8EPSS: 1%CPEs: 11EXPL: 3CVE-2022-27668 – SAP SAProuter Improper Access Control
https://notcve.org/view.php?id=CVE-2022-27668
14 Jun 2022 — Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability. Dependiendo de la configuración de la tabla de permisos de ruta en el archivo "sapr... • https://packetstorm.news/files/id/168406 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-1999-1216
https://notcve.org/view.php?id=CVE-1999-1216
22 Apr 1993 — Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command. • http://ciac.llnl.gov/ciac/bulletins/d-15.shtml •