Approved changes feed: RSS · Atom
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Absinthe Graphql (7fddf56e-a0c2-5080-92c8-5e68f180248c) |
|---|---|
| Product | Absinthe (705ebafa-ebf7-5e28-87ea-0eab8af6f32f) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/absinthe-graphql/absinthe |
purl2cpe | 2026-06-01 10:16:27.824322 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-43967 |
vulnerable | 2026-06-03 15:25:02.765449 |
Quadratic fragment-name uniqueness check causes denial of service in absinthe
Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.
'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller.
Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.
This issue affects absinthe: from 1.2.0 before 1.10.2.
Published: 2026-05-08T15:42:34.347Z
Updated: 2026-05-09T04:18:14.810Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-42793 |
vulnerable | 2026-06-03 15:25:01.533158 |
Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.
Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.
Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.
This issue affects absinthe: from 1.5.0 before 1.10.2.
Published: 2026-05-08T15:42:46.101Z
Updated: 2026-05-09T12:41:41.873Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.