{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/absinthe--1.5.0--1.10.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-42793"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["absinthe (\u003e= 1.5.0, \u003c 1.10.2)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","graphql","atom-table-exhaustion"],"_cs_type":"advisory","_cs_vendors":["Erlang"],"content_html":"\u003cp\u003eAbsinthe, a GraphQL toolkit for Elixir, is susceptible to a denial-of-service vulnerability (CVE-2026-42793) affecting versions 1.5.0 prior to 1.10.2. The vulnerability stems from the way Absinthe parses GraphQL SDL documents. Specifically, every \u003ccode\u003edirective @\u0026lt;name\u0026gt;\u003c/code\u003e definition is converted into a newly created atom without any allow-list or length cap. Since Erlang atoms are never garbage-collected and the BEAM VM has a finite atom table (approximately 1,048,576 atoms), an attacker can exhaust this table by sending a specially crafted GraphQL document containing a large number of unique directive names. The attack requires no authentication and impacts all workloads on the Erlang node.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a GraphQL SDL document containing a large number of unique directive definitions (e.g., \u003ccode\u003edirective @randomName1 on FIELD\u003c/code\u003e, \u003ccode\u003edirective @randomName2 on FIELD\u003c/code\u003e, etc.).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003e/graphql\u003c/code\u003e endpoint of an application using \u003ccode\u003eabsinthe_plug\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePlug.Parsers\u003c/code\u003e processes the request and parses the GraphQL document using \u003ccode\u003eAbsinthe.Plug.Parser\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAbsinthe.Phase.Parse\u003c/code\u003e is invoked to parse the SDL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAbsinthe.Blueprint.Draft.convert/2\u003c/code\u003e processes the parsed SDL.\u003c/li\u003e\n\u003cli\u003eFor each \u003ccode\u003eDirectiveDefinition\u003c/code\u003e node in the SDL, \u003ccode\u003eMacro.underscore(node.name) |\u0026gt; String.to_atom()\u003c/code\u003e is called in \u003ccode\u003elib/absinthe/language/directive_definition.ex:27\u003c/code\u003e, creating a new atom from the directive name. This also occurs in \u003ccode\u003elib/absinthe/language/enum_type_definition.ex:23\u003c/code\u003e, \u003ccode\u003elib/absinthe/language/field_definition.ex:27\u003c/code\u003e, etc.\u003c/li\u003e\n\u003cli\u003eIf the attacker-controlled document contains enough unique directive names (approaching 1 million), the BEAM VM\u0026rsquo;s atom table becomes exhausted.\u003c/li\u003e\n\u003cli\u003eSubsequent attempts to create new atoms result in a crash of the entire Erlang node, causing a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, where the entire Erlang node crashes due to atom-table exhaustion. This impacts not only the Absinthe-based application but also any other Erlang-based workloads running on the same VM. The vulnerability can be triggered without authentication and requires only the ability to send a specially crafted GraphQL document to an exposed endpoint.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Absinthe version 1.10.2 or later to patch CVE-2026-42793.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on any endpoint that accepts GraphQL SDL documents to prevent attackers from injecting a large number of unique directive names.\u003c/li\u003e\n\u003cli\u003eMonitor the Erlang VM\u0026rsquo;s atom count using \u003ccode\u003e:erlang.system_info(:atom_count)\u003c/code\u003e and alert if it approaches the limit (approximately 1,048,576). This can provide early warning of an attempted atom-table exhaustion attack.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Absinthe GraphQL Atom Table Exhaustion Attempt\u0026rdquo; to identify suspicious GraphQL payloads containing numerous unique directive definitions based on HTTP request logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T13:10:10Z","date_published":"2026-05-14T13:10:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-absinthe-atom-dos/","summary":"Absinthe versions 1.5.0 before 1.10.2 are vulnerable to a denial-of-service attack (CVE-2026-42793) due to unbounded atom creation when parsing GraphQL SDL documents, allowing an attacker to exhaust the Erlang VM's atom table and crash the entire node by submitting a crafted document with numerous unique directive names.","title":"Absinthe GraphQL Atom Table Exhaustion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-absinthe-atom-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Absinthe (\u003e= 1.5.0, \u003c 1.10.2)","version":"https://jsonfeed.org/version/1.1"}