CVE-2026-43967

Name of the Vulnerable Software and Affected Versions absinthe versions 1.2.0 through 1.10.1

Description An inefficient algorithmic complexity issue allows unauthenticated denial of service through quadratic fragment-name uniqueness validation. The function run/2 within Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames iterates over all fragments and calls duplicate?/2, which performs a full linear scan of the fragment list using Enum.count(fragments, &(&1.name == name)). This results in O(N²) comparisons per document, where N is the number of fragment definitions provided by the caller. Since input.fragments is constructed directly from the GraphQL query body, an attacker can control N. For example, a document of approximately 1 MB containing about 60,000 fragments can force approximately 3.6 × 10⁹ comparisons during this validation phase without requiring authentication, schema knowledge, or special configuration.

Recommendations Update to version 1.10.2 or later.