The vulnerability in absinthe-graphql absinthe (versions 1.5.0 up to but not including 1.10.2) is due to multiple calls to String.to_atom/1 on attacker-controlled names in GraphQL SDL documents during parsing. Since atoms in the Erlang VM are never garbage-collected and the atom table has a fixed size limit, an attacker can exhaust this table by submitting SDL with many unique names (directive names, field names, type names, argument names). This leads to a denial of service by causing the Erlang VM to abort with a system_limit error, crashing the node. This affects any application that processes untrusted SDL input through Absinthe's parser.

Successful exploitation results in a denial of service condition by exhausting the Erlang VM atom table, causing the entire node to abort and become unavailable. This can disrupt services relying on Absinthe for GraphQL SDL parsing, including schema-upload endpoints and federation gateways. There is no indication of code execution or data disclosure from the provided information.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid parsing untrusted or attacker-controlled GraphQL SDL documents with vulnerable versions of Absinthe. Implement input validation or rate limiting on SDL inputs if possible to reduce risk.