DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-43967: CVE-2026-43967: Denial of Service via Algorithmic Complexity in Absinthe GraphQL Fragment Validation

#security #cve #cybersecurity

CVE-2026-43967: Denial of Service via Algorithmic Complexity in Absinthe GraphQL Fragment Validation

Vulnerability ID: CVE-2026-43967
CVSS Score: 8.7
Published: 2026-05-14

Absinthe, an Elixir GraphQL toolkit, is vulnerable to a Denial of Service (DoS) condition due to inefficient algorithmic complexity in its document validation phase. Unauthenticated attackers can exhaust server resources by submitting GraphQL requests with heavily duplicated fragment definitions.

TL;DR

A quadratic complexity flaw (O(NĀ²)) in Absinthe's GraphQL fragment validation allows remote attackers to trigger severe CPU exhaustion via crafted requests, causing a Denial of Service. The vulnerability is patched in v1.10.2.

āš ļø Exploit Status: POC

Technical Details

  • CWE ID: CWE-407
  • Attack Vector: Network
  • CVSS 4.0 Score: 8.7
  • EPSS Score: 0.0016
  • Impact: Denial of Service (Availability)
  • Exploit Status: PoC Available
  • CISA KEV: No

Affected Systems

  • Absinthe GraphQL Toolkit for Elixir
  • Applications routing GraphQL queries through vulnerable Absinthe versions
  • absinthe: >= 1.2.0, < 1.10.2 (Fixed in: 1.10.2)

Code Analysis

Commit: 223600c

Fix algorithmic complexity in UniqueFragmentNames validation

def run(input, _options \\ []) do
-    fragments =
-      for fragment <- input.fragments do
-        process(fragment, input.fragments)
-      end
+    counts = Enum.frequencies_by(input.fragments, & &1.name)

-    result = %{input | fragments: fragments}
-    {:ok, result}
-  end
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Regression test included in the fix commit demonstrates the O(N^2) scaling behavior.

Mitigation Strategies

  • Upgrade Absinthe to version 1.10.2 or later.
  • Enforce strict max_body_size limits in the web server or Phoenix/Plug pipeline.
  • Implement GraphQL query complexity analysis to reject complex queries before validation.

Remediation Steps:

  1. Identify the current version of absinthe in mix.exs.
  2. Update the dependency to {:absinthe, "~> 1.10.2"}.
  3. Run mix deps.get and mix compile to fetch and compile the patched library.
  4. Deploy the updated application to production environments.

References

Read the full report for CVE-2026-43967 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)