CVE-2026-43967
Denial of Service in Absinthe-GraphQL via Quadratic Fragment Validation
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| absinthe | absinthe | to 1.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the absinthe-graphql library to version 1.10.2 or later, where the vulnerability has been fixed by optimizing the fragment-name uniqueness validation algorithm from O(NΒ²) to O(N).
Until the upgrade can be applied, consider implementing request size limits or rate limiting on GraphQL queries to reduce the risk of denial-of-service attacks.
- Upgrade absinthe-graphql to version 1.10.2 or later.
- Apply rate limiting or throttling on GraphQL endpoints to limit the number of large queries.
- Enforce maximum query size limits in the GraphQL server configuration to prevent excessively large fragment counts.
Can you explain this vulnerability to me?
This vulnerability is an Inefficient Algorithmic Complexity issue in the absinthe-graphql library. Specifically, it occurs in the UniqueFragmentNames validation phase, where the code performs a quadratic number of comparisons to check for duplicate fragment names in a GraphQL query.
The function iterates over all fragments and for each fragment counts how many fragments have the same name, resulting in O(NΒ²) complexity where N is the number of fragments. Since the fragments come directly from the query input, an attacker can supply a very large number of fragments to trigger this expensive validation.
This leads to a denial of service (DoS) vulnerability because processing such a large query consumes excessive CPU resources, slowing down or crashing the service without requiring authentication or special knowledge.
How can this vulnerability impact me? :
This vulnerability can be exploited by an attacker to cause a denial of service (DoS) on systems using the affected versions of absinthe-graphql. By sending a specially crafted GraphQL query containing a very large number of fragments, the attacker forces the server to perform an extremely high number of comparisons during validation.
The excessive computational load can degrade system performance, cause slowdowns, or even crash the service, making it unavailable to legitimate users. No authentication or special permissions are needed to exploit this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to cause a denial-of-service (DoS) condition by exploiting an inefficient algorithm in fragment-name uniqueness validation. The impact is limited to system availability, as it can stall the server's CPU and exhaust resources.
While the vulnerability affects availability, there is no indication from the provided information that it leads to unauthorized access, data leakage, or modification of sensitive data.
Therefore, the vulnerability primarily impacts the availability aspect of security controls, which may affect compliance with standards that require system availability guarantees, such as HIPAA's availability requirements or GDPR's requirement for data availability and resilience.
However, since the vulnerability does not involve data breach or confidentiality issues, its direct effect on compliance with data protection regulations like GDPR or HIPAA is limited to potential service disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually large GraphQL queries containing a high number of fragment definitions, which cause excessive CPU usage due to the inefficient fragment-name uniqueness validation.
Since the vulnerability is triggered by GraphQL queries with many fragments, one detection approach is to log and analyze incoming GraphQL requests for fragment counts.
There are no specific commands provided in the resources, but you can use network monitoring tools or application logs to identify large GraphQL queries.
- Use application-level logging to capture GraphQL query sizes and fragment counts.
- Monitor CPU usage spikes on servers handling GraphQL requests, which may indicate exploitation attempts.
- Use network packet capture tools (e.g., tcpdump, Wireshark) to filter and analyze GraphQL POST requests for unusually large payloads.