PT-2026-39146 · Absinthe · Absinthe
Curtis Schiewek
+1
·
Published
2026-05-08
·
Updated
2026-05-14
·
CVE-2026-42793
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
absinthe versions 1.5.0 through 1.10.1
Description
An unauthenticated denial of service can occur via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple
Blueprint.Draft.convert/2 implementations in the SDL language modules call String.to atom/1 on attacker-controlled names, such as directive, field, type, and argument names. Since atoms are not garbage-collected and the BEAM atom table has a fixed limit, submitting SDL documents with numerous unique names can exhaust the table, causing the Erlang VM to abort with a system limit and crashing the entire node. Applications passing attacker-controlled GraphQL SDL through the parser, such as schema-upload endpoints or federation gateways ingesting remote SDL, are exposed.Recommendations
Update to version 1.10.2.
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Absinthe