Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.
Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.
Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed - for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.
This issue affects absinthe: from 1.5.0 before 1.10.2.
AnalysisAI
Unauthenticated remote attackers can crash Erlang VM nodes running Absinthe GraphQL 1.5.0 through 1.10.1 by exhausting the BEAM atom table through specially crafted GraphQL SDL documents. Attackers send SDL containing numerous unique directive, field, type, or argument names that are unsafely converted to atoms via String.to_atom/1, permanently consuming slots in the fixed-size atom table (default 1,048,576 entries) until the VM terminates with system_limit error. This affects any application exposing SDL parsing to untrusted input, such as schema upload endpoints, federation gateways ingesting remote SDL, or developer tools processing user-supplied documents. Vendor-released patch (version 1.10.2) is available per GitHub advisory GHSA-qf4g-9fqq-mmm7.
Technical ContextAI
Absinthe is a GraphQL implementation for Elixir running on the BEAM virtual machine (Erlang VM). The vulnerability resides in Blueprint.Draft.convert/2 implementations across SDL language modules that parse GraphQL Schema Definition Language documents. The BEAM atom table stores immutable symbolic constants used throughout Erlang/Elixir code, with atoms never garbage-collected and a fixed capacity limit enforced at the VM level. When Absinthe calls String.to_atom/1 on attacker-supplied names from SDL documents, each unique string creates a permanent atom entry. This maps to CWE-770 (Allocation of Resources Without Limits or Throttling) because the parser lacks input validation or rate limiting on atom creation. GraphQL SDL allows arbitrary identifiers for schema elements, and the parsing code trusts these names implicitly rather than using safe alternatives like String.to_existing_atom/1 or maintaining a bounded namespace.
RemediationAI
Upgrade to Absinthe version 1.10.2 or later, which addresses the unsafe atom conversion in SDL parsing code per GitHub advisory GHSA-qf4g-9fqq-mmm7. For applications unable to upgrade immediately, implement strict input validation on SDL parsing endpoints: restrict access to authenticated administrative users only via application-level access controls, enforce request rate limiting (e.g., maximum 10 SDL parse requests per IP per hour), and implement document size limits (reject SDL documents exceeding 10KB). Consider disabling SDL upload features entirely if not required for production operations - many applications only need SDL parsing during development/deployment phases and can remove these endpoints from runtime environments. Monitor Erlang VM atom table usage via :erlang.system_info(:atom_count) and configure alerts when approaching 90% of :erlang.system_info(:atom_limit) as an early warning system. Note that workarounds provide incomplete protection since crafting sufficient unique names within size limits remains feasible; patching to 1.10.2 is the only complete remediation.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28798
GHSA-qf4g-9fqq-mmm7