Important
If you have enabled Distributed query plan caching, this release changes the hashing algorithm used for the cache keys. On account of this, you should anticipate additional cache regeneration cost when updating between these versions while the new hashing algorithm comes into service.
🔒 Security
CVE-2024-43783: Payload limits may exceed configured maximum
Correct a denial-of-service vulnerability which, under certain non-default configurations below, made it possible to exceed the configured request payload maximums set with the limits.http_max_request_bytes
option.
This affects the following non-default Router configurations:
- Those configured to send request bodies to External Coprocessors where the
coprocessor.router.request.body
configuration option is set totrue
; or - Those which declare custom native Rust plugins using the
plugins
configuration where those plugins access the request body in theRouterService
layer.
Rhai plugins are not impacted. See the associated Github Advisory, GHSA-x6xq-whh3-gg32, for more information.
CVE-2024-43414: Update query planner to resolve uncontrolled recursion
Update the version of @apollo/query-planner
used by Router to v2.8.5 which corrects an uncontrolled recursion weakness (classified as CWE-674) during query planning for complex queries on particularly complex graphs.
This weakness impacts all versions of Router prior to this release. See the associated Github Advisory, GHSA-fmj9-77q8-g6c4, for more information.