Information Exposure Affecting apollo-router package, versions <1.61.13>=2.0.0 <2.10.2>=2.11.0 <2.12.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-APOLLOROUTER-15790569
- published27 Mar 2026
- disclosed26 Mar 2026
- creditAmirMohammad Safari
Introduced: 26 Mar 2026
New CVE NOT AVAILABLE CWE-200 (opens in a new tab)How to fix?
Upgrade apollo-router to version 1.61.13, 2.10.2, 2.12.1 or higher.
Overview
apollo-router is a configurable, high-performance routing runtime for Apollo Federation.
Affected versions of this package are vulnerable to Information Exposure in the processing of HTTP GET requests containing a Content-Type header with a value other than application/json. An attacker can infer sensitive information about server responses by issuing specially crafted cross-origin authenticated GraphQL queries and analyzing response times.
Note:
This is only exploitable if authentication relies on cookies or HTTP Basic Auth and the client browser is affected by a specific CORS implementation bug.
Workaround
This vulnerability can be mitigated by blocking HTTP requests with a Content-Type header containing message/ at the load balancer or proxy, or by using a Rhai script within the router to reject such requests.