Information Exposure Affecting apollo-router package, versions <1.61.13>=2.0.0 <2.10.2>=2.11.0 <2.12.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Information Exposure vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUST-APOLLOROUTER-15790569
- published27 Mar 2026
- disclosed26 Mar 2026
- creditAmirMohammad Safari
Introduced: 26 Mar 2026
CVE NOT AVAILABLE CWE-200 (opens in a new tab)How to fix?
Upgrade apollo-router to version 1.61.13, 2.10.2, 2.12.1 or higher.
Overview
apollo-router is a configurable, high-performance routing runtime for Apollo Federation.
Affected versions of this package are vulnerable to Information Exposure in the processing of HTTP GET requests containing a Content-Type header with a value other than application/json. An attacker can infer sensitive information about server responses by issuing specially crafted cross-origin authenticated GraphQL queries and analyzing response times.
Note:
This is only exploitable if authentication relies on cookies or HTTP Basic Auth and the client browser is affected by a specific CORS implementation bug.
Workaround
This vulnerability can be mitigated by blocking HTTP requests with a Content-Type header containing message/ at the load balancer or proxy, or by using a Rhai script within the router to reject such requests.