logo

Database

Asymmetric denial of service In @cubejs-backend/server-core

Description

Cube Core is vulnerable to Denial of Service (DoS) via crafted request

Impact

It is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint.

Affected Versions:

>= 1.1.17

Mitigation:

Upgrade to a patched version:

    1.5.13 and later (regular release)

    1.4.2 (active LTS release)

References

The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-259572. NVD-2026-259573. OSV-2026-259574. GHSA-9vph-2hvm-x66g5. GCVE-2026-25957

References

1. https://github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66g

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.