{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/algorithmic-complexity/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-43967"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["absinthe"],"_cs_severities":["medium"],"_cs_tags":["denial of service","graphql","absinthe","algorithmic complexity","CVE-2026-43967"],"_cs_type":"advisory","_cs_vendors":["erlang"],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in the Absinthe GraphQL library, specifically in versions 1.2.0 through 1.10.1. The vulnerability stems from the inefficient algorithm used to validate the uniqueness of fragment names within a GraphQL query. An unauthenticated attacker can exploit this by sending a specially crafted GraphQL query that contains a large number of fragment definitions. The validation process, which has a time complexity of O(N²), leads to excessive CPU consumption, potentially exhausting server resources and causing a denial of service. No authentication or schema knowledge is required; the attacker only needs to send a large GraphQL query.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a GraphQL query containing a very large number of fragment definitions. Each fragment definition minimally includes the \u003ccode\u003efragment\u003c/code\u003e keyword, a unique name, the \u003ccode\u003eon\u003c/code\u003e keyword, and a type (\u003ccode\u003efragment a on T{f}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GraphQL query to the Absinthe GraphQL endpoint via an HTTP POST request. The request body uses the JSON format.\u003c/li\u003e\n\u003cli\u003eThe Absinthe library receives the request and parses the GraphQL query, creating an internal representation of the document including a list of fragments.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAbsinthe.Phase.Document.Validation.UniqueFragmentNames\u003c/code\u003e module is invoked to validate the uniqueness of the fragment names within the query.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erun/2\u003c/code\u003e function iterates through each fragment in the \u003ccode\u003einput.fragments\u003c/code\u003e list.\u003c/li\u003e\n\u003cli\u003eFor each fragment, the \u003ccode\u003eprocess/2\u003c/code\u003e function is called which, in turn, calls \u003ccode\u003eduplicate?/2\u003c/code\u003e to check for duplicates.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eduplicate?/2\u003c/code\u003e performs a linear scan (\u003ccode\u003eEnum.count\u003c/code\u003e) of the entire fragment list to count occurrences of the current fragment\u0026rsquo;s name, resulting in N*N comparisons.\u003c/li\u003e\n\u003cli\u003eDue to the quadratic complexity, processing the large number of fragments consumes excessive CPU resources, potentially leading to worker exhaustion and denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can lead to a denial-of-service condition on any service that exposes an Absinthe GraphQL endpoint to untrusted callers. A single unauthenticated POST request containing a large number of fragment definitions can tie up a worker process for several seconds. A modest amount of sustained traffic can exhaust the request-handling pool, rendering the service unavailable. The demonstration shows that 20,000 fragments can cause 15 seconds of CPU usage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Absinthe version 1.10.2 or later, which includes a fix that reduces the complexity of the fragment name uniqueness validation to O(N).\u003c/li\u003e\n\u003cli\u003eMonitor GraphQL endpoints for abnormally large requests containing excessive fragment definitions. Implement rate limiting to mitigate potential denial-of-service attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Absinthe GraphQL Excessive Fragments (CVE-2026-43967)\u003c/code\u003e to detect requests with a high number of GraphQL fragments in web server logs.\u003c/li\u003e\n\u003cli\u003eConsider implementing a maximum body size limit on GraphQL requests to prevent attackers from sending extremely large queries. The report mentions Phoenix\u0026rsquo;s default is 8 MB.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T13:16:21Z","date_published":"2026-05-14T13:16:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-absinthe-graphql-dos/","summary":"A denial-of-service vulnerability exists in the Absinthe GraphQL library (versions 1.2.0 to 1.10.1), where an unauthenticated attacker can exhaust server resources by submitting a crafted GraphQL query with a large number of fragment definitions due to the quadratic complexity of fragment name uniqueness validation.","title":"Absinthe GraphQL Fragment Validation Denial-of-Service (CVE-2026-43967)","url":"https://feed.craftedsignal.io/briefs/2026-05-absinthe-graphql-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Algorithmic Complexity","version":"https://jsonfeed.org/version/1.1"}