Homepage
About Snyk

Data Amplification Affecting apollo-router package, versions <1.40.2-rc0

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUST-APOLLOROUTER-6406555
  • published 7 Mar 2024
  • disclosed 6 Mar 2024
  • credit Ivan Goncharov
Report a new vulnerability Found a mistake?

Introduced: 6 Mar 2024

CVE-2024-28101 Open this link in a new tab
CWE-409 Open this link in a new tab

How to fix?

Upgrade apollo-router to version 1.40.2-rc0 or higher.

Overview

apollo-router is a configurable, high-performance routing runtime for Apollo Federation.

Affected versions of this package are vulnerable to Data Amplification due to the evaluation of the limits.http_max_request_bytes configuration option after decompressing the entirety of compressed HTTP payloads. If highly compressed payloads are received, this could lead to significant memory consumption as the payload expands.

Workaround

This vulnerability can be mitigated by implementing limits on HTTP body upload size at proxies or load balancers positioned in front of the Router fleet, such as Nginx, HAProxy, or cloud-native WAF services.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    Low