Summary When Absinthe parses a GraphQL SDL document, every directive @ definition is converted into a freshly created atom without any allow-list or length cap. Because atoms are never garbage-collected and the BEAM has…
| CVE ID | CVE-2026-42793 |
| Vendor | erlang |
| Affected Product | absinthe |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.5 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
When Absinthe parses a GraphQL SDL document, every directive @ definition is converted into a freshly created atom without any allow-list or length cap. Because atoms are never garbage-collected and the BEAM has a hard ~1,048,576 atom-table limit, any application that feeds attacker-controlled SDL through Absinthe's parser can be crashed (whole VM termination) by submitting a document containing enough unique directive names. Introduced in https://github.com/absinthe-graphql/absinthe/commit/d0eae7764520d4e8e5dfff619068c0de911aec33
In lib/absinthe/language/directive_definition.ex:27, the Blueprint.from_ast/2 conversion does: ``elixir Macro.underscore(node.name) |> String.to_atom() ` node.name` is taken verbatim from the parsed GraphQL document, so the atom
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.