CVE-2024-32971: Apollo Router vulnerable to Critical Regression In Query Plan Cache
Any instance of Apollo Router 1.44.0 or 1.45.0 that is using Distributed Query Plan Caching is impacted. These versions were released on 2024-04-12 and 2024-04-22 respectively.
The affected versions of Apollo Router contain a bug that could lead to unexpected operations being executed, which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. Router versions other than the ones listed above, and all Router deployments that are not using distributed query plan caching, are unaffected by this defect.
If you are using the affected versions, you can check your router’s configuration YAML to verify if you are impacted:
supergraph:
query_planning:
cache:
References
- github.com/advisories/GHSA-q9p4-hw9m-fj2v
- github.com/apollographql/router
- github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529
- github.com/apollographql/router/releases/tag/v1.45.1
- github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v
- nvd.nist.gov/vuln/detail/CVE-2024-32971
- www.apollographql.com/docs/router/configuration/distributed-caching/
Code Behaviors & Features
Detect and mitigate CVE-2024-32971 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →