CVE-2026-25957 – CVE-2026-25957 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2026-25957?

CVE-2026-25957 has a CVSS score of 6.5 (MEDIUM). CVE-2026-25957 is a denial-of-service vulnerability in Cube semantic layer that allows attackers to crash the entire Cube API with a specially crafted request. This affects all Cube deployments running vulnerable versions, potentially disrupting data applications that rely on Cube's API services.

📋 TL;DR

CVE-2026-25957 is a denial-of-service vulnerability in Cube semantic layer that allows attackers to crash the entire Cube API with a specially crafted request. This affects all Cube deployments running vulnerable versions, potentially disrupting data applications that rely on Cube's API services.

💻 Affected Systems

Products:

Cube semantic layer

Versions: 1.1.17 to before 1.5.13, and 1.4.2

Operating Systems: All platforms running Cube

Default Config Vulnerable: ⚠️ Yes

Notes: All Cube deployments with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Cube.js by Cube

View all CVEs affecting Cube.js →

Cube.js by Cube

View all CVEs affecting Cube.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of Cube API services, disrupting all data applications and analytics that depend on Cube, potentially causing business operations to halt.

🟠

Likely Case

Temporary service disruption until Cube service is restarted, affecting data-driven applications and dashboards.

🟢

If Mitigated

Minimal impact with proper rate limiting, request validation, and monitoring in place to detect and block malicious requests.

🌐 Internet-Facing: HIGH - Internet-facing Cube instances are directly exposed to attack from any source.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The advisory suggests a specially crafted request can trigger the vulnerability, indicating relatively simple exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.13 or 1.4.2

Vendor Advisory: https://github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66g

Restart Required: Yes

Instructions:

1. Stop Cube service. 2. Update Cube to version 1.5.13 or 1.4.2 using npm update or package manager. 3. Restart Cube service.

🔧 Temporary Workarounds

Rate Limiting

all

Implement request rate limiting to prevent rapid exploitation attempts

Configure rate limiting in your reverse proxy or load balancer

Request Validation

all

Add input validation at the proxy layer to filter suspicious requests

Configure WAF rules to block malformed requests

🧯 If You Can't Patch

Implement network segmentation to restrict access to Cube API endpoints
Deploy Web Application Firewall (WAF) with DoS protection rules

🔍 How to Verify

Check if Vulnerable:

Check Cube version using 'npm list cube-core' or examine package.json

Check Version:

npm list cube-core | grep cube-core

Verify Fix Applied:

Verify version is 1.5.13 or 1.4.2 or higher, then test API functionality

📡 Detection & Monitoring

Log Indicators:

Sudden service crashes
Error logs showing malformed requests
Increased error rates

Network Indicators:

Spike in requests to Cube API endpoints
Unusual request patterns

SIEM Query:

source="cube.log" AND ("crash" OR "error" OR "malformed")

📊 Metadata

CVE ID: CVE-2026-25957

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-755

EPSS Score: 0.01% exploit probability (1.8th percentile)

Published: February 9, 2026

Last Updated: February 24, 2026

🔗 References

https://github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66g Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25957, you might also want to check these: