Attention Apollo Router users! A vulnerability has been found in certain versions of Apollo Router dealing with GraphQL subscriptions, which could lead to denial-of-service attacks. Read on to learn more about this vulnerability, the affected versions, and how to fix the issue.

The Vulnerability

The vulnerability lies in the Apollo Router, a high-performance graph router that powers federated supergraphs using Apollo Federation 2. It has been identified that specific versions of the Router are exposed to a Denial-of-Service (DoS) type issue, resulting in the Router panicking and terminating the process when GraphQL Subscriptions are enabled.

The Apollo Router must be running version v1.28., v1.28.1, or v1.29. (impacted versions);

2. The Supergraph schema provided to the Router (either via Apollo Uplink or other configuration) must have a subscription type with root-fields defined;
3. The YAML configuration provided to the Router must have subscriptions enabled (disabled by default), by setting enabled: true or by specifying a valid mode within the subscriptions object. You can find more information in the subscriptions' documentation;
4. The Router must receive an anonymous subscription operation (e.g., subscription { ... }).

If all four conditions are met, the vulnerable Router versions will panic and terminate.

It's essential to note that there is no data privacy risk or sensitive information exposure related to this vulnerability.

The Fix

Apollo has released a patch for this vulnerability in Apollo Router v1.29.1. If your Router is running one of the impacted versions, we highly recommend upgrading to v1.29.1.

Updating to the patched version should be a straightforward process for users operating on affected versions. However, if upgrading is not an option, you can disable GraphQL subscriptions in your Router configuration as an alternative way to mitigate the risk, provided that your Graph does not require Subscriptions support.

Here's a sample of a potentially vulnerable Apollo Router configuration

# config.yaml
router:
  apollo_uplink: ...
supergraph:
  subscription:
    enabled: true
    mode: ...

To fix the issue, either update your Apollo Router to v1.29.1 or disable Subscriptions

# config.yaml
router:
  apollo_uplink: ...
supergraph:
  subscription:
    enabled: false

Conclusion

If you are running an affected Apollo Router version, it is crucial to take the necessary steps to upgrade or disable Subscriptions to safeguard your application against this DoS vulnerability. Be sure to always keep your software up to date to minimize the risk of vulnerabilities in the future.

Timeline

Published on: 09/05/2023 19:15:00 UTC
Last modified on: 09/08/2023 16:49:00 UTC