Cube.Js
CVE-2026-25957
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 npm packages depend on @cubejs-backend/server-core (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.1.17.
DescriptionGitHub Advisory
Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.
AnalysisAI
Cube.js versions 1.1.17 through 1.5.12 and 1.4.x before 1.4.2 are vulnerable to denial of service attacks where an authenticated attacker can craft a malicious request to completely disable the Cube API. This network-accessible vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated user with API access. No patch is currently available for affected versions.
Technical ContextAI
Classified as CWE-755 (Improper Handling of Exceptional Conditions). Affects Cube.Js. Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.
RemediationAI
Fixed in version 1.5.13. Restrict network access to the affected service where possible.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9vph-2hvm-x66g