CVE-2026-43967

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-43967

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43967.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-43967

Aliases

Published

2026-05-08T15:42:34.347Z

Modified

2026-05-28T03:53:50.496179620Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Quadratic fragment-name uniqueness check causes denial of service in absinthe

Details

Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.

'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller.

Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.

This issue affects absinthe: from 1.2.0 before 1.10.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43967.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "0b46e3bcc06c0d3797bacd64761b908a84646c1d"
                },
                {
                    "fixed": "223600c520493dcaf95080af552c413099f92c9d"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cwe_ids": [
        "CWE-407"
    ],
    "cna_assigner": "EEF"
}

References

Affected packages

Git / github.com/absinthe-graphql/absinthe

Affected ranges

Type: GIT
Repo: https://github.com/absinthe-graphql/absinthe
Events: Introduced

26e7619e83e0612ff4922d940627d51ab7c07e45

Fixed

c0c265cacc7f8ed5025b0bfa22f6f5e00145e919

Affected versions

1.*

1.4.0-beta.1

v1.*

v1.10.0

v1.10.1

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.6

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.4.0-beta.1

v1.4.0-beta.2

v1.4.0-beta.3

v1.4.0-beta.4

v1.4.0-rc.0

v1.4.0-rc.1

v1.4.0-rc.2

v1.4.0-rc.3

v1.4.10

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.5.0

v1.5.0-alpha.2

v1.5.0-alpha.4

v1.5.0-beta.2

v1.5.0-rc.0

v1.5.0-rc.1

v1.5.0-rc.2

v1.5.0-rc.3

v1.5.0-rc.4

v1.5.0-rc.5

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.6.0

v1.6.0-rc.0

v1.6.0-rc.1

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.7.0

v1.7.1

v1.7.10

v1.7.11

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v1.8.0

v1.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43967.json"