CVE-2024-32971 Overview
CVE-2024-32971 is a critical GraphQL Vulnerability affecting Apollo Router, a configurable graph router written in Rust used to run federated supergraphs with Apollo Federation 2. The vulnerability exists in the distributed query plan caching mechanism and can lead to unexpected operations being executed, resulting in unintended data exposure or side effects.
When distributed query plan caching is enabled, a bug in the cache retrieval logic can cause the Router to execute a modified version of a previously cached operation instead of the intended operation. This affects queries, mutations, and subscriptions, potentially leading to data leakage or unauthorized data modifications.
Critical Impact
Attackers may exploit this cache confusion vulnerability to access unauthorized data through queries (e.g., fetching enterprise user data instead of trial users) or trigger unintended mutations (e.g., deleting the wrong user record), leading to significant data integrity and confidentiality breaches.
Affected Products
- Apollo Router version 1.44.0
- Apollo Router version 1.45.0
- Apollo Router instances with distributed query plan caching enabled using Redis
Discovery Timeline
- 2024-05-02 - CVE-2024-32971 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-32971
Vulnerability Analysis
This vulnerability (CWE-440: Expected Behavior Violation) occurs when the Apollo Router's cache retrieval logic fails to properly differentiate between cached query plans. In a federated GraphQL architecture, query plans are pre-computed execution strategies that determine how operations are routed to underlying subgraph servers.
The core issue lies in how the Router handles cache key generation or lookup for distributed query plan caching with Redis. When multiple operations share similar characteristics, the cache may return an incorrect query plan, causing the Router to execute a variation of a different, previously-cached operation.
For query operations, this could mean fetching data with different filter parameters than intended (e.g., fetchUsers(type: ENTERPRISE) executing instead of fetchUsers(type: TRIAL)). For mutations, the consequences are more severe—incorrect mutations may be sent to subgraph servers, such as deleteUser(id: 12) executing instead of deleteUser(id: 10), leading to data corruption or unauthorized modifications.
Root Cause
The root cause is a bug in Apollo Router's cache retrieval logic for distributed query plan caching. The cache key generation or matching algorithm does not adequately distinguish between different operations, causing query plans for one operation to be incorrectly applied to another. This inadvertent execution of cached plans for modified or different operations leads to the observed misbehavior.
Attack Vector
The vulnerability is exploitable over the network without authentication requirements. An attacker could potentially craft GraphQL requests designed to exploit the cache confusion, manipulating the timing or sequence of requests to cause the Router to return cached results or execute cached mutations intended for different operations. The attack requires the target Router to have distributed query plan caching enabled with Redis.
The following code snippets show the version bump from the security patch:
[[package]]
name = "apollo-router"
-version = "1.45.0"
+version = "1.45.1"
dependencies = [
"access-json",
"anyhow",
Source: GitHub Commit Update
Detection Methods for CVE-2024-32971
Indicators of Compromise
- Unexpected query results that don't match the requested parameters or filters
- Mutation operations affecting incorrect records or entities
- Log entries showing cache hits for operations that should be cache misses
- User reports of seeing data belonging to other users or incorrect data sets
- Audit trail discrepancies showing operations executed with different parameters than logged
Detection Strategies
- Monitor GraphQL operation logs for parameter mismatches between requests and executed operations
- Implement correlation checks between client-requested operations and actual subgraph queries
- Enable detailed Redis cache logging to track query plan retrieval anomalies
- Deploy application-level monitoring for unexpected mutation side effects
- Use SentinelOne Singularity to detect anomalous application behavior patterns indicative of cache manipulation
Monitoring Recommendations
- Configure alerting for Redis cache anomalies and unexpected hit/miss ratios
- Implement end-to-end request tracing to correlate client requests with subgraph operations
- Monitor for unusual patterns in data access that may indicate cache confusion exploitation
- Review Apollo Router logs for operation execution discrepancies
- Establish baseline metrics for query plan cache behavior to identify deviations
How to Mitigate CVE-2024-32971
Immediate Actions Required
- Upgrade Apollo Router to version 1.45.1 or higher immediately
- Alternatively, downgrade to version 1.43.2 if upgrading is not feasible
- Disable distributed query plan caching if immediate patching is not possible
- Audit recent mutations for potential unauthorized modifications
- Review data access logs for evidence of exploitation
Patch Information
Apollo has released version 1.45.1 to address this vulnerability. Versions 1.44.0 and 1.45.0 have been withdrawn and should not be used. The fix corrects the cache retrieval logic to ensure query plans are properly matched to their intended operations.
For additional details, refer to the GitHub Security Advisory GHSA-q9p4-hw9m-fj2v and the GitHub Release v1.45.1.
Workarounds
- Disable distributed query plan caching by removing or commenting out the Redis caching configuration
- Use local in-memory caching only until patching is complete
- Implement additional application-layer validation to verify operation execution matches client requests
- Consider temporarily disabling caching for mutation operations specifically
# Disable distributed query plan caching in router.yaml
# Comment out or remove the following configuration:
# supergraph:
# query_planning:
# cache:
# redis:
# urls: ["redis://..."]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
