Home > Vulnerability Database > CVE-2024-28101

Mend.io Vulnerability Database

CVE-2024-28101

Good to know:

Date: March 6, 2024

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the `limits.http_max_request_bytes` configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory consumption while the compressed payload is expanded. Router version 1.40.2 has a fix for the vulnerability. Those who are unable to upgrade may be able to implement mitigations at proxies or load balancers positioned in front of their Router fleet (e.g. Nginx, HAProxy, or cloud-native WAF services) by creating limits on HTTP body upload size.

Language: RUST

Severity Score

7.5

Related Resources (4)

Url: https://github.com/apollographql/router/security/advisories/GHSA-cgqf-3cq5-wvcj

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28101

Url: https://github.com/apollographql/router/commit/9e9527c73c8f34fc8438b09066163cd42520f413

Url: https://www.mend.io/vulnerability-database/CVE-2024-28101

Severity Score

7.5

Top Fix

Upgrade Version

Upgrade to version apollo-router - 1.40.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28101

Good to know:

Date: March 6, 2024

Language: RUST

Severity Score

Related Resources (4)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?