Denial of service attack on the cube-api endpoint
Description
Cube is a semantic layer for building data applications. Prior to version 0.34.34, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. The issue has been patched in v0.34.34 and it's recommended that all users exposing Cube APIs to the public internet upgrade to the latest version to prevent service disruption. There are currently no workaround for older versions, and the recommendation is to upgrade.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@cubejs-backend/api-gatewaynpm | < 0.34.34 | 0.34.34 |
Affected products
2- Range: < 0.34.34
Patches
Vulnerability mechanics
Root cause
"Unhandled exceptions in request processing due to missing error catching in contextToApiScopes and async handlers, and an unsafe hasOwnProperty check on the request object."
Attack vector
An attacker can submit a specially crafted HTTP request to a Cube API endpoint. The request triggers an unhandled exception in the `contextToApiScopes` function or in an async handler that lacks proper error middleware fallback [CWE-20]. Because the error is not caught, the entire Cube API process becomes unavailable, resulting in a denial of service. No authentication is required if the endpoint is exposed to the public internet.
Affected code
The vulnerability resides in the `@cubejs-backend/api-gateway` package. The patch addresses three issues: uncaught errors from `contextToApiScopes`, missing fallback to global error middleware for async handlers, and a removed `hasOwnProperty` check on the request object [patch_id=1640483][patch_id=1640482]. The exact file paths within the api-gateway package are not shown in the changelog diff.
What the fix does
The patch introduces three fixes in the api-gateway package: (1) catching errors from `contextToApiScopes` so they do not crash the process, (2) adding a fallback to the global error middleware for async handlers, and (3) removing a `hasOwnProperty` check on the request object that could cause unexpected failures [patch_id=1640483][patch_id=1640482]. Together these changes ensure that malformed input or runtime errors in request handling are properly caught and returned as error responses rather than crashing the API server.
Preconditions
- networkCube API endpoint must be exposed to the public internet or accessible to the attacker.
- authNo authentication required if the vulnerable endpoint is publicly accessible.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-9759-3276-g2pmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-50709ghsaADVISORY
- github.com/cube-js/cube/releases/tag/v0.34.34ghsax_refsource_MISCWEB
- github.com/cube-js/cube/security/advisories/GHSA-9759-3276-g2pmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.