Absinthe (>= 1.5.0, < 1.10.2) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/absinthe--1.5.0--1.10.2/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 14 May 2026 13:10:10 +0000Absinthe GraphQL Atom Table Exhaustion Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-absinthe-atom-dos/Thu, 14 May 2026 13:10:10 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-absinthe-atom-dos/Absinthe versions 1.5.0 before 1.10.2 are vulnerable to a denial-of-service attack (CVE-2026-42793) due to unbounded atom creation when parsing GraphQL SDL documents, allowing an attacker to exhaust the Erlang VM's atom table and crash the entire node by submitting a crafted document with numerous unique directive names.Absinthe, a GraphQL toolkit for Elixir, is susceptible to a denial-of-service vulnerability (CVE-2026-42793) affecting versions 1.5.0 prior to 1.10.2. The vulnerability stems from the way Absinthe parses GraphQL SDL documents. Specifically, every directive @<name> definition is converted into a newly created atom without any allow-list or length cap. Since Erlang atoms are never garbage-collected and the BEAM VM has a finite atom table (approximately 1,048,576 atoms), an attacker can exhaust this table by sending a specially crafted GraphQL document containing a large number of unique directive names. The attack requires no authentication and impacts all workloads on the Erlang node.

Attack Chain

  1. An attacker crafts a GraphQL SDL document containing a large number of unique directive definitions (e.g., directive @randomName1 on FIELD, directive @randomName2 on FIELD, etc.).
  2. The attacker sends an HTTP POST request to the /graphql endpoint of an application using absinthe_plug.
  3. Plug.Parsers processes the request and parses the GraphQL document using Absinthe.Plug.Parser.
  4. Absinthe.Phase.Parse is invoked to parse the SDL.
  5. Absinthe.Blueprint.Draft.convert/2 processes the parsed SDL.
  6. For each DirectiveDefinition node in the SDL, Macro.underscore(node.name) |> String.to_atom() is called in lib/absinthe/language/directive_definition.ex:27, creating a new atom from the directive name. This also occurs in lib/absinthe/language/enum_type_definition.ex:23, lib/absinthe/language/field_definition.ex:27, etc.
  7. If the attacker-controlled document contains enough unique directive names (approaching 1 million), the BEAM VM’s atom table becomes exhausted.
  8. Subsequent attempts to create new atoms result in a crash of the entire Erlang node, causing a denial of service.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition, where the entire Erlang node crashes due to atom-table exhaustion. This impacts not only the Absinthe-based application but also any other Erlang-based workloads running on the same VM. The vulnerability can be triggered without authentication and requires only the ability to send a specially crafted GraphQL document to an exposed endpoint.

Recommendation

  • Upgrade to Absinthe version 1.10.2 or later to patch CVE-2026-42793.
  • Implement input validation and sanitization on any endpoint that accepts GraphQL SDL documents to prevent attackers from injecting a large number of unique directive names.
  • Monitor the Erlang VM’s atom count using :erlang.system_info(:atom_count) and alert if it approaches the limit (approximately 1,048,576). This can provide early warning of an attempted atom-table exhaustion attack.
  • Deploy the Sigma rule “Detect Absinthe GraphQL Atom Table Exhaustion Attempt” to identify suspicious GraphQL payloads containing numerous unique directive definitions based on HTTP request logs.
]]>mediumadvisorydenial-of-servicegraphqlatom-table-exhaustion