Curtis Schiewek

**Name of the Vulnerable Software and Affected Versions** absinthe versions 1.5.0 through 1.10.1 **Description** An unauthenticated denial of service can occur via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple `Blueprint.Draft.convert/2` implementations in the SDL language modules call `String.to atom/1` on attacker-controlled names, such as directive, field, type, and argument names. Since atoms are not garbage-collected and the BEAM atom table has a fixed limit, submitting SDL documents with numerous unique names can exhaust the table, causing the Erlang VM to abort with a system limit and crashing the entire node. Applications passing attacker-controlled GraphQL SDL through the parser, such as schema-upload endpoints or federation gateways ingesting remote SDL, are exposed. **Recommendations** Update to version 1.10.2.

**Name of the Vulnerable Software and Affected Versions** absinthe versions 1.2.0 through 1.10.1 **Description** An inefficient algorithmic complexity issue allows unauthenticated denial of service through quadratic fragment-name uniqueness validation. The function `run/2` within `Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames` iterates over all fragments and calls `duplicate?/2`, which performs a full linear scan of the fragment list using `Enum.count(fragments, &(&1.name == name))`. This results in O(N²) comparisons per document, where `N` is the number of fragment definitions provided by the caller. Since `input.fragments` is constructed directly from the GraphQL query body, an attacker can control `N`. For example, a document of approximately 1 MB containing about 60,000 fragments can force approximately 3.6 × 10⁹ comparisons during this validation phase without requiring authentication, schema knowledge, or special configuration. **Recommendations** Update to version 1.10.2 or later.