How severe is CVE-2024-28101?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2024-28101?

This is classified as CWE-409, which is a common weakness in software security.

CVE-2024-28101 - HIGH Severity | CVSS 7.5

Vulnerability Description

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the `limits.http_max_request_bytes` configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory consumption while the compressed payload is expanded. Router version 1.40.2 has a fix for the vulnerability. Those who are unable to upgrade may be able to implement mitigations at proxies or load balancers positioned in front of their Router fleet (e.g. Nginx, HAProxy, or cloud-native WAF services) by creating limits on HTTP body upload size.

Related Vulnerabilities

CVE-2024-3572

HIGH

CVSS:7.5(High)

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows...

CWE-4092024

CVE-2024-43499

HIGH

CVSS:7.5(High)

.NET and Visual Studio Denial of Service Vulnerability

CWE-4092024

CVE-2024-7765

HIGH

CVSS:7.5(High)

In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion...

CWE-4092024

CVE-2025-30153

HIGH

CVSS:7.5(High)

kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted...

CWE-4092025

CVE-2025-46730

MEDIUM

CVSS:6.8(Medium)

MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other security tools and web applications. Access t...

CWE-4092025

CVE-2023-0475

MEDIUM

CVSS:6.5(Medium)

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

CWE-4092023