GHSA-9vph-2hvm-x66g — medium GitHub Advisory (CVE-2026-25957) in npm/@cubejs-backend/server-core

Description

It is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint.

>= 1.1.17

Upgrade to a patched version:

The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.

Score	Percentile
0.02%	5.18%

Base score	Version	Severity	Vector
6.5	3.1	—	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.

Type	Value
GHSA	GHSA-9vph-2hvm-x66g ↗
CVE	CVE-2026-25957 ↗

CWE id	Name
CWE-755	Improper Handling of Exceptional Conditions

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
npm	@cubejs-backend/server-core	>= 1.1.17, < 1.4.2	1.4.2	—
npm	@cubejs-backend/server-core	>= 1.5.0, < 1.5.13	1.5.13	—