Absinthe-GraphQL Unique Fragment Name Validation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Absinthe-GraphQL library, specifically in versions 1.2.0 prior to 1.10.2. This vulnerability allows unauthenticated attackers to cause significant CPU load on servers handling GraphQL requests. The issue arises from the fragment-name uniqueness validation process, which has a quadratic time complexity. When a GraphQL query is crafted with a large number of fragment definitions, the validation phase can become extremely resource-intensive. For example, a 1 MB query document can contain around 60,000 fragments, leading to approximately 3.6 billion name comparisons during validation. This problem does not require authentication or knowledge of the GraphQL schema, making it relatively easy to exploit.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by stalling server processes for an extended period, with reported delays of over 15 seconds for a single request. Such exploitation can exhaust the server's request-handling capacity, leading to service interruptions.

Reproduction

The vulnerability can be reproduced by sending a GraphQL request that includes a large number of fragment definitions. This can be done using a standalone script that constructs a query with up to 20,000 fragments, each referencing a simple field. The script measures the time taken for the Absinthe server to process the request, demonstrating the quadratic delay introduced by the vulnerability.

Remediation

Users can upgrade to Absinthe version 1.10.2 or later, where this vulnerability has been fixed.