Improper Control of Dynamically-Managed Code Resources Affecting apollo-router package, versions >=1.44.0 <1.45.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUST-APOLLOROUTER-6765787
- published 2 May 2024
- disclosed 2 May 2024
- credit xuorig
Introduced: 2 May 2024
CVE-2024-32971 Open this link in a new tabHow to fix?
Upgrade apollo-router to version 1.45.1 or higher.
Overview
apollo-router is a configurable, high-performance routing runtime for Apollo Federation.
Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources due to a bug in the cache retrieval logic. This bug, when distributed query planning caching is enabled, may lead to the execution of an unexpected variation of a previously executed operation or the generation of unexpected errors. Specifically, this could result in fetching incorrect data or executing incorrect mutations on underlying subgraph servers.
Note
This is only exploitable if the Router instances are configured to use distributed query plan caching.
If you are using the affected versions, you can check your router’s configuration YAML to verify if you are impacted:
supergraph:
query_planning:
cache:
# Look for this config below
redis:
urls: ["redis://..."]
Workaround
This vulnerability can be mitigated by disabling distributed query plan caching by removing the supergraph.query_planning.cache.redis.urls configuration. Note that disabling distributed query plan caching will result in each Router instance maintaining its own in-memory query plan cache, potentially increasing resource utilization and cold-start times.