CVE-2024-43414: 
JavaScript vulnerability analysis and mitigation

Apollo Federation's query planner (@apollo/query-planner) versions >=2.0.0 and <2.8.5 contains a denial-of-service vulnerability. This issue also affects @apollo/gateway versions >=2.0.0 and < 2.8.5 and Apollo Router <1.52.1 through their use of @apollo/query-planner. The vulnerability was disclosed on August 27, 2024 (GitHub Advisory).

The vulnerability occurs when the Apollo query planner attempts to use a Number exceeding Javascript's Number.MAXVALUE (2^1024 - 2^971). When processing complex queries, especially those where fields can be solved through multiple subgraphs, the number of query plan permutations can exceed Number.MAXVALUE. In Javascript, this results in the value being represented as 'infinity'. When this happens, the component responsible for pruning less-than-optimal query plans fails to prune candidates, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (NVD).

If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination. The issue can be triggered if there is at least one non-@key field that can be resolved by multiple subgraphs (GitHub Advisory).

The issue has been patched in @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5, and Apollo Router v1.52.1. Users are advised to upgrade to these versions. As a workaround, users can ensure there are no fields resolvable from multiple subgraphs. For Federation 2 users, this can be confirmed by ensuring no subgraph schemas use the @shareable directive. Federation 1 users need to validate that there are no fields resolvable by multiple subgraphs (GitHub Advisory).