Absinthe-GraphQL Unauthenticated Denial-of-Service Vulnerability via Atom Table Exhaustion

A denial-of-service vulnerability has been identified in the Absinthe-GraphQL library, specifically in versions 1.5.0 prior to 1.10.2. This vulnerability allows unauthenticated attackers to exhaust the BEAM VM's atom table by submitting GraphQL Schema Definition Language (SDL) documents that contain a high number of unique names. The issue arises because Absinthe's SDL parsing modules convert these names into atoms without any validation or limits. Since atoms are not garbage-collected and the atom table has a fixed capacity, this can lead to a crash of the entire Erlang node, disrupting all workloads on the VM.

Impact

Exploitation of this vulnerability causes the BEAM VM to crash, terminating the Erlang node and disrupting all processes running on it.

Reproduction

The vulnerability can be reproduced by sending a GraphQL SDL document containing a large number of unique directive names to an application that uses Absinthe for parsing. This can be done through a schema-upload endpoint or any tool that processes user-supplied SDL. The Absinthe parser will convert each directive name into an atom, gradually exhausting the atom table and causing the VM to crash.

Remediation

Users can upgrade to Absinthe version 1.10.2 or later to address this vulnerability.