High-severity vulnerabilities have been identified in all Apollo Router versions up to and including v1.61.1 and v2.1.0 and all Apollo Gateway versions up to and including v2.10.0. These security issues could potentially allow unauthorized attackers to bypass system-enforced limits or exploit performance weaknesses.
We have released Router v1.61.2, Router v2.1.1, and Gateway v2.10.1 to address the three vulnerabilities affecting GraphQL validation, query planning, and the operation limits plugin. We strongly recommend upgrading to these new versions as soon as possible and the corresponding releases are available on all of our official distribution channels, including Docker, Helm, npm, GitHub Releases, and Crates.io.
You can read more about the vulnerabilities and related CVEs via the associated GitHub Security Advisories:
- Apollo Router
- Apollo Router Query Validation Vulnerable to Excessive Resource Consumption via Named Fragment Processing (GHSA-3j43-9v8v-cp3f)
- Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion (GHSA-75m2-jhh5-j5g2)
- Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow (GHSA-84m6-5m72-45fp)
- Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass (GHSA-94hh-jmq8-2fgp)
- Apollo Gateway
- Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass (GHSA-p2q6-pwh5-m6jr)
- Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion (GHSA-q2f9-x4p4-7xmh)
- Apollo Compiler
- Apollo Compiler Query Validation Vulnerable to Excessive Resource Consumption via Named Fragment Processing (GHSA-7mpv-9xg6-5r79)
Thank you for your understanding and your prompt action on this matter. Apollo GraphOS graph/org admins have also been directly notified via email. The security of our users’ projects is our top priority. Apollo follows responsible disclosure security best practices outlined in our public security policy.