EEF-CVE-2026-43967 Vulnerability Summary Overview Vulnerability Name: Absinthe GraphQL uniqueness check leads to Denial of Service (DoS) Vulnerability Type: Algorithmic Complexity Vulnerability (CWE-400) Severity: 9.7 (High) CVSS 3.1 Score: CVSS:3.1/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VA:N/SC:N/SI:N/SA:N Publication Date: 2026-05-08T16:42:34.347Z Modification Date: 2026-05-08T16:32:67445527Z Affected Component: absinthe-graphql/absinthe (1.2.0 to 1.10.2) Details In , invokes for each fragment, resulting in a full linear scan of the fragment list. This leads to O(N²) comparisons, where N is the number of fragment definitions provided by the caller. Since is constructed directly from the GraphQL query body, N is entirely controlled by the attacker. A minimal fragment definition is approximately 16 bytes; therefore, a ~1 MB fragment can carry ~60,000 fragments, forcing approximately ~3.6 × 10⁹ comparisons. This validation phase requires no authentication, schema knowledge, or special configuration. Scope Affected Package: Package Name: Purl: Affected Versions: Events: - Introduced: 1.2.0 - Fixed: 1.10.2 Remediation Fixed Version: Upgrade to or later Fix Link: GitHub Commit References CNA Entry GitHub Advisory GitHub CVE Hex Package Credits Finder: Peter Ulbrich Remediation Developer: Curtis Schiewek Database Specific