Uncontrolled Resource Consumption ('Resource Exhaustion') Affecting @cubejs-backend/api-gateway package, versions <0.34.34


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.07% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-CUBEJSBACKENDAPIGATEWAY-6124870
  • published14 Dec 2023
  • disclosed13 Dec 2023
  • creditUnknown

Introduced: 13 Dec 2023

CVE-2023-50709  (opens in a new tab)
CWE-400  (opens in a new tab)

How to fix?

Upgrade @cubejs-backend/api-gateway to version 0.34.34 or higher.

Overview

@cubejs-backend/api-gateway is a package that provides idempotent long polling API.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via a specially crafted request to a Cube API endpoint. An attacker can make the entire Cube API unavailable by submitting this request.

CVSS Scores

version 3.1