Threat Advisory

Absinthe GraphQL Vulnerability Enables Quadratic DoS Attack

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Erlang Absinthe package, affecting versions 1.2.0 to 1.10.2. Two high-severity vulnerabilities were discovered: Inefficient Algorithmic Complexity and Allocation of Resources Without Limits or Throttling. These vulnerabilities can lead to denial-of-service (DoS) attacks, allowing attackers to exhaust the system resources and take down the entire node. The impact of these vulnerabilities is significant, as any application that exposes an Absinthe-backed GraphQL endpoint to untrusted callers is affected.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Erlang Absinthe package, affecting versions 1.2.0 to 1.10.2. Two high-severity vulnerabilities were discovered: Inefficient Algorithmic Complexity and Allocation of Resources Without Limits or Throttling. These vulnerabilities can lead to denial-of-service (DoS) attacks, allowing attackers to exhaust the system resources and take down the entire node. The impact of these vulnerabilities is significant, as any application that exposes an Absinthe-backed GraphQL endpoint to untrusted callers is affected.[emaillocker id="1283"]

  • CVE-2026-43967 with a CVSS score of 7.5 – This vulnerability is an Inefficient Algorithmic Complexity vulnerability in Absinthe's GraphQL validation phase, allowing unauthenticated denial-of-service via quadratic fragment-name uniqueness validation. An attacker can submit a query containing many fragment definitions, pinning a worker process for seconds and exhausting the request-handling pool.
  • CVE-2026-42793 with a CVSS score of 7.5 – This vulnerability is an Allocation of Resources Without Limits or Throttling vulnerability in Absinthe's parser, allowing unauthenticated denial-of-service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort and taking down the entire node.

The overall risk and urgency of these vulnerabilities are high. If exploited, the impact can be significant, with the entire node being taken down, affecting all unrelated workloads sharing the VM. These vulnerabilities require immediate attention, and affected applications should be patched or mitigated as soon as possible.

RECOMMENDATION:

  • We recommend you to update absinthe to version 1.10.2.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-9mhv-8h52-q7q2
https://github.com/advisories/GHSA-qf4g-9fqq-mmm7

[/emaillocker]
crossmenu