CVE-2026-42793
Denial of Service in Absinthe via Atom Table Exhaustion
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| absinthe | absinthe | to 1.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the absinthe-graphql library where multiple implementations call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents. Because atoms in the Erlang VM are never garbage-collected and the atom table has a fixed size, each unique name permanently consumes one slot in the atom table.
An attacker can exploit this by submitting GraphQL SDL documents containing many unique names, exhausting the atom table. This causes the Erlang VM to abort with a system_limit error, resulting in a denial of service that takes down the entire node.
Any application that processes attacker-controlled GraphQL SDL through Absinthe's parser, such as schema-upload endpoints, federation gateways, or developer tools, is vulnerable.
How can this vulnerability impact me? :
This vulnerability can lead to an unauthenticated denial of service (DoS) attack against applications using the absinthe-graphql library. By exhausting the Erlang VM's atom table, an attacker can cause the entire node to crash, resulting in service downtime and loss of availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or excessive atom table usage in the Erlang VM, which may indicate atom table exhaustion attempts.
Since the vulnerability involves attacker-controlled GraphQL SDL documents causing unbounded atom creation, detection can involve inspecting incoming SDL documents for a large number of unique names or directives.
Commands to check the current atom table usage on an Erlang node include:
- Using the Erlang shell command: `erlang:system_info(atom_count).` to get the current number of atoms in use.
- Using `erlang:system_info(atom_limit).` to check the maximum allowed atoms.
Monitoring logs for system_limit errors or Erlang VM crashes can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the absinthe-graphql library to version 1.10.2 or later, where the vulnerability has been fixed.
Until the upgrade is applied, restrict or validate any user-supplied GraphQL SDL documents to limit the number of unique names or directives processed by Absinthe.
Implement input validation or allow-listing on SDL inputs to prevent unbounded atom creation.
Monitor the Erlang VM for atom table usage and system_limit errors to detect and respond to potential attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.