{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T12:45:30.470","vulnerabilities":[{"cve":{"id":"CVE-2023-41317","sourceIdentifier":"security-advisories@github.com","published":"2023-09-05T19:15:48.610","lastModified":"2024-11-21T08:21:03.507","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled.  It can be triggered when **all of the following conditions are met**: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 (\"impacted versions\"); **and** 2. The Supergraph schema provided to the Router (either via Apollo Uplink or explicitly via other configuration) **has a `subscription` type** with root-fields defined; **and** 3. The YAML configuration provided to the Router **has subscriptions enabled** (they are _disabled_ by default), either by setting `enabled: true` _or_ by setting a valid `mode` within the `subscriptions` object (as seen in [subscriptions' documentation](https://www.apollographql.com/docs/router/executing-operations/subscription-support/#router-setup)); **and** 4. An [anonymous](https://spec.graphql.org/draft/#sec-Anonymous-Operation-Definitions) (i.e., un-named) `subscription` operation (e.g., `subscription { ... }`) is received by the Router If **all four** of these criteria are met, the impacted versions will panic and terminate.  There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability. This is fixed in Apollo Router v1.29.1. Users are advised to upgrade. Updating to v1.29.1 should be a clear and simple upgrade path for those running impacted versions.  However, if Subscriptions are **not** necessary for your Graph – but are enabled via configuration — then disabling subscriptions is another option to mitigate the risk."},{"lang":"es","value":"El Apollo Router es un router gráfico configurable y de alto rendimiento escrito en Rust para ejecutar un supergrafo federado que utiliza Apollo Federation 2. Las versiones afectadas están sujetas a una vulnerabilidad de tipo Denegación de Servicio (DoS) que hace que el Router entre en pánico y termine cuando GraphQL Subscriptions está habilitado. Puede activarse cuando **se cumplen todas las condiciones siguientes**: 1. Se ejecuta Apollo Router v1.28.0, v1.28.1 o v1.29.0 (versiones impactadas); **y** 2. El esquema Supergraph proporcionado al router (ya sea a través de Apollo Uplink o explícitamente a través de otra configuración) **tiene un tipo \"subscription\"** con campos raíz definidos; **y** 3. La configuración YAML proporcionado al router **tiene las suscripciones habilitadas** (están _disabled_ por defecto), ya sea estableciendo \"enabled: true\" o estableciendo un \"mode\" válido dentro del objeto \"subscriptions\" (como se ve en [subscriptions' documentation](https://www. apollographql.com/docs/router/executing-operations/subscription-support/#router-setup)); **y** 4. Una operación de \"suscripción\" [anónima] (https://spec.graphql.org/draft/#sec-Anonymous-Operation-Definitions) (es decir, (es decir, sin nombre)(por ejemplo, `subscription { ... }`) es recibido por el Router. Si se cumplen **los cuatro** de estos criterios, las versiones afectadas entrarán en pánico y terminarán. Esta vulnerabilidad no supone ningún riesgo para la privacidad de los datos o la exposición de información sensible. Esto se ha solucionado en Apollo Router v1.29.1. Se recomienda a los usuarios que actualicen. La actualización a la v1.29.1 debería ser una ruta de actualización clara y sencilla para aquellos que utilicen las versiones afectadas. Sin embargo, si las Suscripciones **no** son necesarias para su Gráfico - pero están habilitadas a través de la configuración - entonces deshabilitar las suscripciones es otra opción para mitigar el riesgo. "}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-755"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*","versionStartIncluding":"1.28.0","versionEndExcluding":"1.29.1","matchCriteriaId":"E16E7795-17A4-44E0-8F0C-0BB23693EBF5"}]}]}],"references":[{"url":"https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/apollographql/router/releases/tag/v1.29.1","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/apollographql/router/releases/tag/v1.29.1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes"]},{"url":"https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}