CVE-2026-43967
Quadratic fragment-name uniqueness check causes denial of service in absinthe
Vulnerability description
Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller.
Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.
This issue affects absinthe: from 1.2.0 before 1.10.2.
Affected
pkg:hex/absinthe
pkg:github/absinthe-graphql/absinthe
| Module | Source File | Routine |
|---|---|---|
Absinthe.Phase.Document.Validation.UniqueFragmentNames
|
lib/absinthe/phase/document/validation/unique_fragment_names.ex
|
Absinthe.Phase.Document.Validation.UniqueFragmentNames.run/2
|
Absinthe.Phase.Document.Validation.UniqueFragmentNames.duplicate?/2
|
| Status | Type | Version | Changes / Fixed in |
|---|---|---|---|
| affected | git ⓘ | 0b46e3bcc0
|
< 223600c520
|
References
- https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2 vendor-advisory related
- https://osv.dev/vulnerability/EEF-CVE-2026-43967 related
- https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d patch
Credits
- Finder: Peter Ullrich
- Remediation developer: Curtis Schiewek
CVE record as JSON:
GET /cves/CVE-2026-43967.json
OSV record as JSON:
GET /osv/EEF-CVE-2026-43967.json