Search criteria
3 vulnerabilities by absinthe-graphql
CVE-2026-42793 (GCVE-0-2026-42793)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 12:41
VLAI
Title
Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
Summary
Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.
Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.
Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.
This issue affects absinthe: from 1.5.0 before 1.10.2.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-42793.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42793 | related |
| https://github.com/absinthe-graphql/absinthe/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe |
Affected:
1.5.0 , < 1.10.2
(semver)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe |
Affected:
d0eae7764520d4e8e5dfff619068c0de911aec33 , < dd842b938e3823f345c10416914ffab5d5536838
(git)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:09:01.643983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:09:11.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
"\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
],
"packageName": "absinthe",
"packageURL": "pkg:hex/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/language/directive_definition.ex",
"lib/absinthe/language/enum_type_definition.ex",
"lib/absinthe/language/field_definition.ex",
"lib/absinthe/language/input_object_type_definition.ex",
"lib/absinthe/language/input_value_definition.ex",
"lib/absinthe/language/interface_type_definition.ex",
"lib/absinthe/language/object_type_definition.ex",
"lib/absinthe/language/scalar_type_definition.ex",
"lib/absinthe/language/union_type_definition.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
"\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
],
"packageName": "absinthe-graphql/absinthe",
"packageURL": "pkg:github/absinthe-graphql/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/language/directive_definition.ex",
"lib/absinthe/language/enum_type_definition.ex",
"lib/absinthe/language/field_definition.ex",
"lib/absinthe/language/input_object_type_definition.ex",
"lib/absinthe/language/input_value_definition.ex",
"lib/absinthe/language/interface_type_definition.ex",
"lib/absinthe/language/object_type_definition.ex",
"lib/absinthe/language/scalar_type_definition.ex",
"lib/absinthe/language/union_type_definition.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "dd842b938e3823f345c10416914ffab5d5536838",
"status": "affected",
"version": "d0eae7764520d4e8e5dfff619068c0de911aec33",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Curtis Schiewek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\u003cp\u003eMultiple \u003ctt\u003eBlueprint.Draft.convert/2\u003c/tt\u003e implementations in Absinthe\u0027s SDL language modules call \u003ctt\u003eString.to_atom/1\u003c/tt\u003e on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with \u003ctt\u003esystem_limit\u003c/tt\u003e and taking down the entire node.\u003c/p\u003e\u003cp\u003eAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.5.0 before 1.10.2.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe\u0027s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T12:41:41.873Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42793.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42793",
"datePublished": "2026-05-08T15:42:46.101Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-05-09T12:41:41.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42794 (GCVE-0-2026-42794)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-16 10:21
VLAI
Title
Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
Summary
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.
'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser.
This issue affects absinthe_plug: from 1.2.0 before 1.5.10.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe_plug… | vendor-advisory |
| https://cna.erlef.org/cves/CVE-2026-42794.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42794 | related |
| https://github.com/absinthe-graphql/absinthe_plug… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe_plug |
Affected:
1.2.0 , < 1.5.10
(semver)
cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe_plug |
Affected:
26241817cb4b9be4de3f5972c5fba3d36de3d713 , < 23a0d5658d32420086711adf4ce8f05febb09963
(git)
cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42794",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:07:51.313563Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:08:26.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/absinthe-graphql/absinthe_plug/issues/275"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Plug.GraphiQL\u0027"
],
"packageName": "absinthe_plug",
"packageURL": "pkg:hex/absinthe_plug",
"product": "absinthe_plug",
"programFiles": [
"lib/absinthe/plug/graphiql.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe_plug",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.5.10",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Plug.GraphiQL\u0027"
],
"packageName": "absinthe-graphql/absinthe_plug",
"packageURL": "pkg:github/absinthe-graphql/absinthe_plug",
"product": "absinthe_plug",
"programFiles": [
"lib/absinthe/plug/graphiql.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe_plug",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "23a0d5658d32420086711adf4ce8f05febb09963",
"status": "affected",
"version": "26241817cb4b9be4de3f5972c5fba3d36de3d713",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must mount \u003ctt\u003eAbsinthe.Plug.GraphiQL\u003c/tt\u003e on a route that is reachable by untrusted users. The GraphiQL interface is a developer tool and is typically disabled or restricted in production deployments."
}
],
"value": "The application must mount Absinthe.Plug.GraphiQL on a route that is reachable by untrusted users. The GraphiQL interface is a developer tool and is typically disabled or restricted in production deployments."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.5.10",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "40826d"
},
{
"lang": "en",
"type": "finder",
"value": "Bryan A. Enders"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Moreno"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ben Wilson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1\u003c/tt\u003e in \u003ctt\u003elib/absinthe/plug/graphiql.ex\u003c/tt\u003e escapes single quotes and newlines in the \u003ctt\u003equery\u003c/tt\u003e GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \u003ctt\u003e\\\u0027\u003c/tt\u003e), breaking out of the string context and executing arbitrary JavaScript in the victim\u0027s browser.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe_plug: from 1.2.0 before 1.5.10.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.\n\n\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \\\u0027), breaking out of the string context and executing arbitrary JavaScript in the victim\u0027s browser.\n\nThis issue affects absinthe_plug: from 1.2.0 before 1.5.10."
}
],
"impacts": [
{
"capecId": "CAPEC-86",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-86 XSS Using HTTP Query Strings"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T10:21:31.067Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/absinthe-graphql/absinthe_plug/issues/275"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42794.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42794"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe_plug/commit/23a0d5658d32420086711adf4ce8f05febb09963"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42794",
"datePublished": "2026-05-08T15:42:40.706Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-05-16T10:21:31.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43967 (GCVE-0-2026-43967)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 04:18
VLAI
Title
Quadratic fragment-name uniqueness check causes denial of service in absinthe
Summary
Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.
'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller.
Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.
This issue affects absinthe: from 1.2.0 before 1.10.2.
Severity
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-43967.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-43967 | related |
| https://github.com/absinthe-graphql/absinthe/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe |
Affected:
1.2.0 , < 1.10.2
(semver)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe |
Affected:
0b46e3bcc06c0d3797bacd64761b908a84646c1d , < 223600c520493dcaf95080af552c413099f92c9d
(git)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:07:01.053904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:07:10.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
],
"packageName": "absinthe",
"packageURL": "pkg:hex/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/phase/document/validation/unique_fragment_names.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
},
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
],
"packageName": "absinthe-graphql/absinthe",
"packageURL": "pkg:github/absinthe-graphql/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/phase/document/validation/unique_fragment_names.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
},
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "223600c520493dcaf95080af552c413099f92c9d",
"status": "affected",
"version": "0b46e3bcc06c0d3797bacd64761b908a84646c1d",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Curtis Schiewek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\u003c/tt\u003e iterates over all fragments and for each one calls \u003ctt\u003eduplicate?/2\u003c/tt\u003e, which evaluates \u003ctt\u003eEnum.count(fragments, \u0026amp;(\u0026amp;1.name == name))\u003c/tt\u003e \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\u003c/p\u003e\u003cp\u003eBecause \u003ctt\u003einput.fragments\u003c/tt\u003e is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.2.0 before 1.10.2.\u003c/p\u003e"
}
],
"value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\n\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\n\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\n\nThis issue affects absinthe: from 1.2.0 before 1.10.2."
}
],
"impacts": [
{
"capecId": "CAPEC-229",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-229 Serialized Data Parameter Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T04:18:14.810Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Quadratic fragment-name uniqueness check causes denial of service in absinthe",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43967",
"datePublished": "2026-05-08T15:42:34.347Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-09T04:18:14.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}