Moderate severityNVD Advisory· Published Sep 5, 2023· Updated Sep 30, 2024

Unnamed "Subscription" operation results in Denial-of-Service in apollographql/router

CVE-2023-41317

Description

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. It can be triggered when all of the following conditions are met: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 ("impacted versions"); and 2. The Supergraph schema provided to the Router (either via Apollo Uplink or explicitly via other configuration) **has a subscription type with root-fields defined; and 3. The YAML configuration provided to the Router has subscriptions enabled** (they are _disabled_ by default), either by setting enabled: true _or_ by setting a valid mode within the subscriptions object (as seen in subscriptions' documentation); and 4. An anonymous (i.e., un-named) subscription operation (e.g., subscription { ... }) is received by the Router If all four of these criteria are met, the impacted versions will panic and terminate. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability. This is fixed in Apollo Router v1.29.1. Users are advised to upgrade. Updating to v1.29.1 should be a clear and simple upgrade path for those running impacted versions. However, if Subscriptions are not necessary for your Graph – but are enabled via configuration — then disabling subscriptions is another option to mitigate the risk.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apollo Router versions 1.28.0, 1.28.1, and 1.29.0 panic and terminate when an anonymous subscription operation is sent with subscriptions enabled, causing a denial-of-service.

Vulnerability

Overview

CVE-2023-41317 is a denial-of-service (DoS) vulnerability in the Apollo Router, a high-performance graph router for Apollo Federation 2. The bug is a regression introduced in version 1.28.0 that causes the Router to panic and terminate when processing an anonymous (unnamed) subscription operation under specific conditions [1][3][4]. The root cause lies in how the Router handles subscription operations without a name when subscriptions are enabled and the supergraph schema defines a subscription type with root fields.

Exploitation

Conditions

An attacker can trigger the panic by sending a single anonymous subscription operation (e.g., subscription { ... }) to an affected Router. All four of the following conditions must be met: the Router must be running version 1.28.0, 1.28.1, or 1.29.0; the supergraph schema must include a subscription type with root fields; subscriptions must be enabled in the YAML configuration (they are disabled by default); and the operation must be anonymous [1][4]. No authentication or special privileges are required beyond network access to the Router.

Impact

Successful exploitation causes the Router process to panic and terminate immediately, resulting in a denial of service. The vulnerability does not expose sensitive data or compromise data privacy [1][4]. Depending on the deployment environment (e.g., single instance vs. load-balanced with auto-restart), the impact may range from brief service interruption to prolonged unavailability.

Mitigation

The vulnerability is fixed in Apollo Router version 1.29.1 [1][3][4]. Users running affected versions should upgrade to this release. As an alternative, if subscriptions are not required, disabling them in the configuration (by removing or setting enabled: false) eliminates the attack vector [1][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
apollo-routercrates.io	>= 1.28.0, < 1.29.1	1.29.1

Affected products

ghsa-coords
pkg:cargo/apollo-router
Range: >= 1.28.0, < 1.29.1
apollographql/routerv5
Range: >= 1.28.0, < 1.29.1

Patches

b295c103dd86

Subscriptions: Correct v1.28.x regression allowing panic via un-named subscription operation (#3738)

https://github.com/apollographql/routerJeremy LempereurSep 4, 2023via ghsa

commit

3 files changed · +16 −8

apollo-router/src/context/mod.rs+0 −7 modified

@@ -70,13 +70,6 @@ impl Context {
 }
 
 impl Context {
-    pub(crate) fn operation_name(&self) -> Option<String> {
-        // This method should be removed once we have a proper way to get the operation name.
-        self.entries
-            .get(OPERATION_NAME)
-            .map(|v| v.value().as_str().unwrap().to_string())
-    }
-
     /// Returns true if the context contains a value for the specified key.
     pub fn contains_key<K>(&self, key: K) -> bool
     where

apollo-router/src/services/subgraph_service.rs+7 −1 modified

@@ -431,6 +431,13 @@ async fn call_websocket(
     subgraph_cfg: &WebSocketConfiguration,
     subscription_hash: String,
 ) -> Result<SubgraphResponse, BoxError> {
+    let operation_name = request
+        .subgraph_request
+        .body()
+        .operation_name
+        .clone()
+        .unwrap_or_default();
+
     let SubgraphRequest {
         subgraph_request,
         subscription_stream,
@@ -445,7 +452,6 @@ async fn call_websocket(
     let (handle, created) = notify
         .create_or_subscribe(subscription_hash.clone(), false)
         .await?;
-    let operation_name = context.operation_name().unwrap_or_default();
     tracing::info!(
         monotonic_counter.apollo.router.operations.subscriptions = 1u64,
         subscriptions.mode = %"passthrough",

.changesets/fix_dragonfly_ship_win_folder.md+9 −0 added

@@ -0,0 +1,9 @@
+### Subscriptions: Correct v1.28.x regression allowing panic via un-named subscription operation
+
+Correct a regression that was introduced in Router v1.28.0 which made a Router **panic** possible when the following _three_ conditions are _all_ met:
+
+1. When sending an un-named (i.e., "anonymous") `subscription` operation (e.g., `subscription { ... }`); **and**;
+2. The Router has a `subscription` type defined in the Supergraph schema; **and**
+3. Have subscriptions enabled (they are disabled by default) in the Router's YAML configuration, either by setting `enabled: true` _or_ by setting a `mode` within the `subscriptions` object (as seen in [the subscriptions documentation](https://www.apollographql.com/docs/router/executing-operations/subscription-support/#router-setup).
+
+By [@o0Ignition0o](https://github.com/o0Ignition0o) in https://github.com/apollographql/router/pull/3738

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w8vq-3hf9-xppxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-41317ghsaADVISORY
github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aaghsax_refsource_MISCWEB
github.com/apollographql/router/releases/tag/v1.29.1ghsax_refsource_MISCWEB
github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppxghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000