Description
Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.

'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller.

Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.

This issue affects absinthe: from 1.2.0 before 1.10.2.
Published: 2026-05-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an implementation of inefficient algorithmic complexity in the fragment-name uniqueness validation logic of the Absinthe GraphQL framework. The validator performs a full O(N²) comparison for each document, where N is the number of fragment definitions supplied by the attacker. By submitting a query with a large number of fragments, an adversary can trigger billions of comparisons, consuming CPU time and memory and effectively blocking the Absinthe process. No authentication, special configuration, or schema knowledge is required, making the condition fully controllable by an unauthenticated user. As the validation occurs early in the request pipeline, the impact manifests as a denial of service that can affect service availability for any client that interacts with the GraphQL endpoint.

Affected Systems

The affected product is the Absinthe GraphQL framework, version 1.2.0 through 1.10.1. Any instance of the framework in those releases is susceptible, regardless of deployment environment. The product is maintained by the absinthe‑graphql community and available through standard Elixir package distribution channels.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity with potential for large impact on availability. The EPSS score is not available, so the current exploitation probability cannot be quantified, but the vulnerability requires no privileged input, so the likelihood of exploitation in the wild could be high. The issue is not listed in the CISA KEV catalog, yet the lack of authentication means systems exposed to the Internet could be targeted easily. Attacking via a crafted GraphQL query is the most probable vector, making the risk significant for exposed services.

Generated by OpenCVE AI on May 8, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Absinthe 1.10.2 or later which replaces the quadratic fragment validation with an efficient algorithm.
  • If an upgrade is not immediately possible, restrict GraphQL requests by limiting query size or the maximum number of fragments that may be included, thereby bounding the worst‑case quadratic cost.
  • Implement request throttling or rate limiting on GraphQL endpoints to prevent a single user from repeatedly submitting large payloads that could consume excessive server resources.

Generated by OpenCVE AI on May 8, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller. Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required. This issue affects absinthe: from 1.2.0 before 1.10.2.
Title Quadratic fragment-name uniqueness check causes denial of service in absinthe
First Time appeared Absinthe-graphql
Absinthe-graphql absinthe
Weaknesses CWE-407
CPEs cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
Vendors & Products Absinthe-graphql
Absinthe-graphql absinthe
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Absinthe-graphql Absinthe
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-09T04:18:14.810Z

Reserved: 2026-05-04T18:23:25.573Z

Link: CVE-2026-43967

cve-icon Vulnrichment

Updated: 2026-05-08T16:07:06.565Z

cve-icon NVD

Status : Received

Published: 2026-05-08T16:16:12.910

Modified: 2026-05-08T16:16:12.910

Link: CVE-2026-43967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T02:15:06Z

Weaknesses