Search criteria
4 vulnerabilities found for absinthe by absinthe-graphql
CVE-2026-43967 (GCVE-0-2026-43967)
Vulnerability from nvd – Published: 2026-05-08 15:42 – Updated: 2026-05-09 04:18
VLAI
Title
Quadratic fragment-name uniqueness check causes denial of service in absinthe
Summary
Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.
'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller.
Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.
This issue affects absinthe: from 1.2.0 before 1.10.2.
Severity
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-43967.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-43967 | related |
| https://github.com/absinthe-graphql/absinthe/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe |
Affected:
1.2.0 , < 1.10.2
(semver)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe |
Affected:
0b46e3bcc06c0d3797bacd64761b908a84646c1d , < 223600c520493dcaf95080af552c413099f92c9d
(git)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:07:01.053904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:07:10.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
],
"packageName": "absinthe",
"packageURL": "pkg:hex/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/phase/document/validation/unique_fragment_names.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
},
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
],
"packageName": "absinthe-graphql/absinthe",
"packageURL": "pkg:github/absinthe-graphql/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/phase/document/validation/unique_fragment_names.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
},
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "223600c520493dcaf95080af552c413099f92c9d",
"status": "affected",
"version": "0b46e3bcc06c0d3797bacd64761b908a84646c1d",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Curtis Schiewek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\u003c/tt\u003e iterates over all fragments and for each one calls \u003ctt\u003eduplicate?/2\u003c/tt\u003e, which evaluates \u003ctt\u003eEnum.count(fragments, \u0026amp;(\u0026amp;1.name == name))\u003c/tt\u003e \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\u003c/p\u003e\u003cp\u003eBecause \u003ctt\u003einput.fragments\u003c/tt\u003e is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.2.0 before 1.10.2.\u003c/p\u003e"
}
],
"value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\n\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\n\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\n\nThis issue affects absinthe: from 1.2.0 before 1.10.2."
}
],
"impacts": [
{
"capecId": "CAPEC-229",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-229 Serialized Data Parameter Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T04:18:14.810Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Quadratic fragment-name uniqueness check causes denial of service in absinthe",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43967",
"datePublished": "2026-05-08T15:42:34.347Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-09T04:18:14.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42793 (GCVE-0-2026-42793)
Vulnerability from nvd – Published: 2026-05-08 15:42 – Updated: 2026-05-09 12:41
VLAI
Title
Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
Summary
Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.
Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.
Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.
This issue affects absinthe: from 1.5.0 before 1.10.2.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-42793.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42793 | related |
| https://github.com/absinthe-graphql/absinthe/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe |
Affected:
1.5.0 , < 1.10.2
(semver)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe |
Affected:
d0eae7764520d4e8e5dfff619068c0de911aec33 , < dd842b938e3823f345c10416914ffab5d5536838
(git)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:09:01.643983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:09:11.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
"\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
],
"packageName": "absinthe",
"packageURL": "pkg:hex/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/language/directive_definition.ex",
"lib/absinthe/language/enum_type_definition.ex",
"lib/absinthe/language/field_definition.ex",
"lib/absinthe/language/input_object_type_definition.ex",
"lib/absinthe/language/input_value_definition.ex",
"lib/absinthe/language/interface_type_definition.ex",
"lib/absinthe/language/object_type_definition.ex",
"lib/absinthe/language/scalar_type_definition.ex",
"lib/absinthe/language/union_type_definition.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
"\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
],
"packageName": "absinthe-graphql/absinthe",
"packageURL": "pkg:github/absinthe-graphql/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/language/directive_definition.ex",
"lib/absinthe/language/enum_type_definition.ex",
"lib/absinthe/language/field_definition.ex",
"lib/absinthe/language/input_object_type_definition.ex",
"lib/absinthe/language/input_value_definition.ex",
"lib/absinthe/language/interface_type_definition.ex",
"lib/absinthe/language/object_type_definition.ex",
"lib/absinthe/language/scalar_type_definition.ex",
"lib/absinthe/language/union_type_definition.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "dd842b938e3823f345c10416914ffab5d5536838",
"status": "affected",
"version": "d0eae7764520d4e8e5dfff619068c0de911aec33",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Curtis Schiewek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\u003cp\u003eMultiple \u003ctt\u003eBlueprint.Draft.convert/2\u003c/tt\u003e implementations in Absinthe\u0027s SDL language modules call \u003ctt\u003eString.to_atom/1\u003c/tt\u003e on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with \u003ctt\u003esystem_limit\u003c/tt\u003e and taking down the entire node.\u003c/p\u003e\u003cp\u003eAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.5.0 before 1.10.2.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe\u0027s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T12:41:41.873Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42793.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42793",
"datePublished": "2026-05-08T15:42:46.101Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-05-09T12:41:41.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42793 (GCVE-0-2026-42793)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 12:41
VLAI
Title
Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
Summary
Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.
Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.
Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.
This issue affects absinthe: from 1.5.0 before 1.10.2.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-42793.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42793 | related |
| https://github.com/absinthe-graphql/absinthe/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe |
Affected:
1.5.0 , < 1.10.2
(semver)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe |
Affected:
d0eae7764520d4e8e5dfff619068c0de911aec33 , < dd842b938e3823f345c10416914ffab5d5536838
(git)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:09:01.643983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:09:11.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
"\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
],
"packageName": "absinthe",
"packageURL": "pkg:hex/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/language/directive_definition.ex",
"lib/absinthe/language/enum_type_definition.ex",
"lib/absinthe/language/field_definition.ex",
"lib/absinthe/language/input_object_type_definition.ex",
"lib/absinthe/language/input_value_definition.ex",
"lib/absinthe/language/interface_type_definition.ex",
"lib/absinthe/language/object_type_definition.ex",
"lib/absinthe/language/scalar_type_definition.ex",
"lib/absinthe/language/union_type_definition.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
"\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
],
"packageName": "absinthe-graphql/absinthe",
"packageURL": "pkg:github/absinthe-graphql/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/language/directive_definition.ex",
"lib/absinthe/language/enum_type_definition.ex",
"lib/absinthe/language/field_definition.ex",
"lib/absinthe/language/input_object_type_definition.ex",
"lib/absinthe/language/input_value_definition.ex",
"lib/absinthe/language/interface_type_definition.ex",
"lib/absinthe/language/object_type_definition.ex",
"lib/absinthe/language/scalar_type_definition.ex",
"lib/absinthe/language/union_type_definition.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "dd842b938e3823f345c10416914ffab5d5536838",
"status": "affected",
"version": "d0eae7764520d4e8e5dfff619068c0de911aec33",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Curtis Schiewek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\u003cp\u003eMultiple \u003ctt\u003eBlueprint.Draft.convert/2\u003c/tt\u003e implementations in Absinthe\u0027s SDL language modules call \u003ctt\u003eString.to_atom/1\u003c/tt\u003e on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with \u003ctt\u003esystem_limit\u003c/tt\u003e and taking down the entire node.\u003c/p\u003e\u003cp\u003eAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.5.0 before 1.10.2.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe\u0027s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T12:41:41.873Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42793.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42793",
"datePublished": "2026-05-08T15:42:46.101Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-05-09T12:41:41.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43967 (GCVE-0-2026-43967)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 04:18
VLAI
Title
Quadratic fragment-name uniqueness check causes denial of service in absinthe
Summary
Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.
'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller.
Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.
This issue affects absinthe: from 1.2.0 before 1.10.2.
Severity
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-43967.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-43967 | related |
| https://github.com/absinthe-graphql/absinthe/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe |
Affected:
1.2.0 , < 1.10.2
(semver)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe |
Affected:
0b46e3bcc06c0d3797bacd64761b908a84646c1d , < 223600c520493dcaf95080af552c413099f92c9d
(git)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:07:01.053904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:07:10.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
],
"packageName": "absinthe",
"packageURL": "pkg:hex/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/phase/document/validation/unique_fragment_names.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
},
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
],
"packageName": "absinthe-graphql/absinthe",
"packageURL": "pkg:github/absinthe-graphql/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/phase/document/validation/unique_fragment_names.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
},
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "223600c520493dcaf95080af552c413099f92c9d",
"status": "affected",
"version": "0b46e3bcc06c0d3797bacd64761b908a84646c1d",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Curtis Schiewek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\u003c/tt\u003e iterates over all fragments and for each one calls \u003ctt\u003eduplicate?/2\u003c/tt\u003e, which evaluates \u003ctt\u003eEnum.count(fragments, \u0026amp;(\u0026amp;1.name == name))\u003c/tt\u003e \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\u003c/p\u003e\u003cp\u003eBecause \u003ctt\u003einput.fragments\u003c/tt\u003e is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.2.0 before 1.10.2.\u003c/p\u003e"
}
],
"value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\n\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\n\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\n\nThis issue affects absinthe: from 1.2.0 before 1.10.2."
}
],
"impacts": [
{
"capecId": "CAPEC-229",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-229 Serialized Data Parameter Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T04:18:14.810Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Quadratic fragment-name uniqueness check causes denial of service in absinthe",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43967",
"datePublished": "2026-05-08T15:42:34.347Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-09T04:18:14.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}