CVE-2023-45812
Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions
Description
### Impact The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. ### Patches Router version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue. ### Workarounds For affected versions, avoid using the coprocessor supergraph response: ```yml # do not use this stage in your coprocessor configuration coprocessor: supergraph: response: ``` Or you can disable defer and subscriptions support: ```yml # disable defer and subscriptions: supergraph: defer_support: false # enabled by default subscription: enabled: false # disabled by default ``` and continue to use the coprocessor supergraph response. ### References https://github.com/apollographql/router/issues/4013
How to fix CVE-2023-45812
To remediate CVE-2023-45812, upgrade the affected package to a fixed version below.
- —upgrade to 1.33.0 or later
Is CVE-2023-45812 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.31.0, < 1.33.0