Описание
Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow
Impact
Summary
A vulnerability in Apollo Router allowed certain queries to bypass configured operation limits, specifically due to integer overflow.
Details
The operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query's height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments.
Fix/Mitigation
Logic was updated to ensure counter overflow is handled correctly and does not wrap around to 0.
Patches
This has been remediated in apollo-router versions 1.61.2 and 2.1.1.
Workarounds
The only known workaround is "Safelisting" or "Safelisting with IDs only" per Safelisting with Persisted Queries - Apollo GraphQL Docs.
Acknowledgements
We appreciate the efforts of the security community in identifying and improving the performance and security of operation limiting mechanisms.
Ссылки
- https://github.com/apollographql/router/security/advisories/GHSA-84m6-5m72-45fp
- https://nvd.nist.gov/vuln/detail/CVE-2025-32033
- https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564
- https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952
Пакеты
apollo-router
< 1.61.2
1.61.2
apollo-router
>= 2.0.0-alpha.0, < 2.1.1
2.1.1
Связанные уязвимости
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query's height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments. This has been remediated in apollo-router versions 1.61.2 and 2.1.1.