Cube, a semantic layer for building data applications, allows an authenticated attacker to bring the entire Cube API to a halt by submitting a specially crafted request to any Cube endpoint. The flaw is classified as CWE‑755 because the code fails to enforce correct control flow, leading to an unhandled exception that crashes the service. The resulting denial of service disrupts availability for all downstream applications that rely on the Cube API, but does not leak data or modify resources.

Affected vendors and products include Cube, the Cube.js/cube library. The vulnerability affects all Cube releases from version 1.1.17 up to, but not including, 1.5.13, as well as the 1.4.2 release. Users running these versions without upgrading remain vulnerable. The product is built on Node.js, but the problem resides in the Cube code itself rather than the runtime.

The CVSS score of 6.5 places the flaw in the moderate range, while the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The issue requires authenticated access to the Cube API, so an attacker must first obtain valid credentials or impersonate a logged‑in user. Nevertheless, once authenticated, the attacker can send a single crafted request that causes the Cube service to crash, leading to widespread outage. Although the exploit has not yet been observed in the wild and is not listed in CISA’s KEV catalog, organizations that expose Cube to external users or lack strict access controls should treat this as a noteworthy risk until they can update to a fixed release.