{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25957", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.066Z", "datePublished": "2026-02-09T22:39:16.121Z", "dateUpdated": "2026-02-11T21:23:47.950Z"}, "containers": {"cna": {"title": "Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request", "problemTypes": [{"descriptions": [{"cweId": "CWE-755", "lang": "en", "description": "CWE-755: Improper Handling of Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66g"}], "affected": [{"vendor": "cube-js", "product": "cube", "versions": [{"version": ">= 1.1.17, < 1.4.2", "status": "affected"}, {"version": ">= 1.5.0, < 1.5.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T22:40:08.076Z"}, "descriptions": [{"lang": "en", "value": "Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2."}], "source": {"advisory": "GHSA-9vph-2hvm-x66g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T21:23:41.305758Z", "id": "CVE-2026-25957", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:23:47.950Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25957", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T21:23:41.305758Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:23:44.812Z"}}], "cna": {"title": "Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request", "source": {"advisory": "GHSA-9vph-2hvm-x66g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "cube-js", "product": "cube", "versions": [{"status": "affected", "version": ">= 1.1.17, < 1.4.2"}, {"status": "affected", "version": ">= 1.5.0, < 1.5.13"}]}], "references": [{"url": "https://github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66g", "name": "https://github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66g", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-755", "description": "CWE-755: Improper Handling of Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T22:40:08.076Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25957", "state": "PUBLISHED", "dateUpdated": "2026-02-11T21:23:47.950Z", "dateReserved": "2026-02-09T17:13:54.066Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T22:39:16.121Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cube:cube.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "EDBEFAB8-9209-469F-B40A-3212CE2D83D2", "versionEndExcluding": "1.4.2", "versionStartIncluding": "1.1.17", "vulnerable": true}, {"criteria": "cpe:2.3:a:cube:cube.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BE6B3000-94CC-46CE-BA90-87D559D6F536", "versionEndExcluding": "1.5.13", "versionStartIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2."}, {"lang": "es", "value": "Cube es una capa sem\u00e1ntica para construir aplicaciones de datos. Desde la versi\u00f3n 1.1.17 hasta antes de la 1.5.13 y la 1.4.2, es posible inhabilitar la totalidad de la API de Cube mediante el env\u00edo de una solicitud especialmente dise\u00f1ada a un endpoint de la API de Cube. Esta vulnerabilidad est\u00e1 corregida en las versiones 1.5.13 y 1.4.2."}], "id": "CVE-2026-25957", "lastModified": "2026-02-24T19:53:01.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T23:16:06.780", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.17,1.4.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.5.0,1.5.13)"}}], "product": "cube", "vendor": "cube-js"}], "analysis": {"en": {"generated_at": "2026-04-17T21:03:12.553286+00:00", "value": {"mitigation_remediation": ["Upgrade to Cube version 1.5.13 or 1.4.2, whichever applies to your deployment.", "Restrict access to Cube API endpoints to trusted users or IP ranges to limit the attack surface.", "Implement application\u2011level rate limiting or request throttling on Cube endpoints to mitigate potential DoS attacks during the transition period."], "summary": {"action": "Patch", "impact": "Denial of Service (availability)"}, "threat_synthesis": {"affected_systems": "Affected vendors and products include Cube, the Cube.js/cube library. The vulnerability affects all Cube releases from version 1.1.17 up to, but not including, 1.5.13, as well as the 1.4.2 release. Users running these versions without upgrading remain vulnerable. The product is built on Node.js, but the problem resides in the Cube code itself rather than the runtime.", "description_and_impact": "Cube, a semantic layer for building data applications, allows an authenticated attacker to bring the entire Cube API to a halt by submitting a specially crafted request to any Cube endpoint. The flaw is classified as CWE\u2011755 because the code fails to enforce correct control flow, leading to an unhandled exception that crashes the service. The resulting denial of service disrupts availability for all downstream applications that rely on the Cube API, but does not leak data or modify resources.", "risk_and_exploitability": "The CVSS score of 6.5 places the flaw in the moderate range, while the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The issue requires authenticated access to the Cube API, so an attacker must first obtain valid credentials or impersonate a logged\u2011in user. Nevertheless, once authenticated, the attacker can send a single crafted request that causes the Cube service to crash, leading to widespread outage. Although the exploit has not yet been observed in the wild and is not listed in CISA\u2019s KEV catalog, organizations that expose Cube to external users or lack strict access controls should treat this as a noteworthy risk until they can update to a fixed release."}}}}, "created": "2026-02-10T11:34:51.557722+00:00", "updated": "2026-04-17T21:15:27.374037+00:00", "vendors": ["cube-js", "cube-js$PRODUCT$cube"]}