CVE-2024-43783: 
Rust vulnerability analysis and mitigation

The Apollo Router Core, a high-performance graph router written in Rust for federated supergraphs using Apollo Federation 2, contains a denial of service vulnerability (CVE-2024-43783) affecting versions >=1.7.0 and <1.52.1. The vulnerability manifests in two specific configurations: when using External Coprocessing with request body support enabled (versions >=1.21.0), or when using custom-developed Native Rust Plugins that access Request.router_request in the RouterService layer (GitHub Advisory).

The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). When configured with affected settings, the Router loads entire HTTP request bodies into memory without respecting the configured limits.http_max_request_bytes configuration option. By default, the Router sets this limit to 2 MB. However, in vulnerable configurations, this limit can be exceeded, potentially leading to out-of-memory (OOM) termination if a sufficiently large request is sent to the Router (GitHub Advisory).

If exploited, this vulnerability can cause denial-of-service through out-of-memory (OOM) termination of the Router when processing sufficiently large requests. This affects systems where either External Coprocessing is configured to send request bodies or custom Native Rust Plugins are accessing request bodies in the RouterService layer (GitHub Advisory).

Users should upgrade to Apollo Router version 1.52.1 or later which fixes the vulnerability. If immediate upgrade is not possible, there are several workarounds: 1) For External Coprocessors, set coprocessor.router.request.body configuration option to false, though this may impact coprocessor functionality. 2) For Native Rust Plugins, update the plugin to either not accumulate the request body or enforce a maximum body size limit. 3) Implement HTTP body payload size limits before requests reach the Router using a proxy or web application firewall (GitHub Advisory, Router Release).