CVE-2025-30371

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-30371

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30371.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30371

Aliases

GHSA-8xf9-9jc8-qp98

Published

2025-03-28T14:47:36.718Z

Modified

2026-04-10T05:24:46.513732Z

Severity

2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator

Summary

Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint

Details

Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30371.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-59"
    ]
}

References

Affected packages

Git / github.com/metabase/metabase

Affected ranges

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

Fixed

dd8fb9bb9d4b099e5e16aa6f77b29f0966c5c46b

Fixed

b6c06678a6b07f3fd87c3b56138ede0238388cd6

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.52.16.4"
        },
        {
            "fixed": "0.53.8"
        }
    ]
}

Affected versions

0.*

0.10.3

0.34.0-rc1

Other

blah

v20150601-alpha

v20150603-alpha

v20150604-alpha

embedding-sdk-0.*

embedding-sdk-0.1.0

embedding-sdk-0.1.10

embedding-sdk-0.1.11

embedding-sdk-0.1.12

embedding-sdk-0.1.13

embedding-sdk-0.1.14

embedding-sdk-0.1.15

embedding-sdk-0.1.16

embedding-sdk-0.1.17

embedding-sdk-0.1.18

embedding-sdk-0.1.19

embedding-sdk-0.1.2

embedding-sdk-0.1.20

embedding-sdk-0.1.21

embedding-sdk-0.1.22

embedding-sdk-0.1.23

embedding-sdk-0.1.24

embedding-sdk-0.1.25

embedding-sdk-0.1.26

embedding-sdk-0.1.27

embedding-sdk-0.1.28

embedding-sdk-0.1.29

embedding-sdk-0.1.30

embedding-sdk-0.1.31

embedding-sdk-0.1.32

embedding-sdk-0.1.33

embedding-sdk-0.1.34

embedding-sdk-0.1.35

embedding-sdk-0.1.36

embedding-sdk-0.1.37

embedding-sdk-0.1.38

embedding-sdk-0.1.4

embedding-sdk-0.1.5

embedding-sdk-0.1.6

embedding-sdk-0.1.7

embedding-sdk-0.1.8

embedding-sdk-0.1.9

embedding-sdk-0.52.1-nightly

embedding-sdk-0.52.10

embedding-sdk-0.52.11

embedding-sdk-0.52.12

embedding-sdk-0.52.13

embedding-sdk-0.52.14

embedding-sdk-0.52.15

embedding-sdk-0.52.16

embedding-sdk-0.52.17

embedding-sdk-0.52.2-nightly

embedding-sdk-0.52.3-nightly

embedding-sdk-0.52.4-nightly

embedding-sdk-0.52.5

embedding-sdk-0.52.5-nightly

embedding-sdk-0.52.6

embedding-sdk-0.52.7

embedding-sdk-0.52.8

embedding-sdk-0.52.9

embedding-sdk-0.53.1-nightly

embedding-sdk-0.53.10

embedding-sdk-0.53.11

embedding-sdk-0.53.12

embedding-sdk-0.53.2

embedding-sdk-0.53.3

embedding-sdk-0.53.4

embedding-sdk-0.53.5

embedding-sdk-0.53.6

embedding-sdk-0.53.7

embedding-sdk-0.53.8

embedding-sdk-0.53.9

embedding-sdk-1.*

embedding-sdk-1.52.1

v0.*

v0.10.0

v0.10.3

v0.10.4

v0.10.4.1

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.12.0

v0.12.0-test

v0.13.0

v0.26.0.RC1

v0.35.0

v0.35.0-rc1

v0.35.0-rc2

v0.36.0-snapshot

v0.37.0-rc2

v0.38.0-preview

v0.38.0-rc1

v0.38.0-rc2

v0.38.0-rc3

v0.38.0-rc4

v0.40.0

v0.40.0-rc1-dan

v0.40.0-rc2

v0.41.0-RC1

v0.42.0-preview1

v0.43.0-rc1

v0.44.0-RC1

v0.45.0-RC1

v0.45.0-RC2

v0.47.0-RC1

v0.48.0-RC1

v0.52.0-beta

v0.52.0.1-beta

v0.52.0.2-beta

v0.52.0.3-beta

v0.52.0.4-beta

v0.52.0.5-beta

v0.52.1

v0.52.1.1

v0.52.1.2

v0.52.1.3

v0.52.10

v0.52.10.1

v0.52.10.2

v0.52.10.x

v0.52.11

v0.52.11.1

v0.52.11.2

v0.52.11.x

v0.52.12

v0.52.12.1

v0.52.12.x

v0.52.13

v0.52.13.1

v0.52.13.x

v0.52.14

v0.52.14.1

v0.52.14.2

v0.52.14.x

v0.52.15

v0.52.15.1

v0.52.15.2

v0.52.15.x

v0.52.16

v0.52.16.1

v0.52.16.2

v0.52.16.3

v0.52.2

v0.52.2.1

v0.52.2.2

v0.52.2.3

v0.52.2.4

v0.52.2.5

v0.52.2.6

v0.52.3

v0.52.3.1

v0.52.3.2

v0.52.3.3

v0.52.3.4

v0.52.3.5

v0.52.3.6

v0.52.4

v0.52.4.1

v0.52.4.2

v0.52.4.3

v0.52.4.4

v0.52.4.5

v0.52.4.6

v0.52.4.7

v0.52.5

v0.52.5.1

v0.52.5.2

v0.52.5.3

v0.52.5.4

v0.52.5.5

v0.52.5.6

v0.52.5.x

v0.52.6

v0.52.6.1

v0.52.6.2

v0.52.6.3

v0.52.6.x

v0.52.7

v0.52.7.1

v0.52.7.2

v0.52.7.3

v0.52.7.4

v0.52.7.x

v0.52.8

v0.52.8.1

v0.52.8.2

v0.52.8.3

v0.52.8.4

v0.52.8.5

v0.52.8.x

v0.52.9

v0.52.9.1

v0.52.9.2

v0.52.9.3

v0.52.9.4

v0.52.9.x

v0.53.0-beta

v0.53.0.1-beta

v0.53.0.2-beta

v0.53.0.3-beta

v0.53.0.4-beta

v0.53.0.x

v0.53.1

v0.53.1.1

v0.53.1.x

v0.53.2

v0.53.2.1

v0.53.2.2

v0.53.2.3

v0.53.2.x

v0.53.3

v0.53.3.1

v0.53.3.2

v0.53.3.3

v0.53.3.4

v0.53.3.5

v0.53.3.6

v0.53.3.x

v0.53.4

v0.53.4.1

v0.53.4.2

v0.53.4.3

v0.53.4.4

v0.53.4.x

v0.53.5

v0.53.5.1

v0.53.5.2

v0.53.5.3

v0.53.5.4

v0.53.5.5

v0.53.5.6

v0.53.5.x

v0.53.6

v0.53.6.1

v0.53.6.2

v0.53.6.3

v0.53.6.4

v0.53.6.5

v0.53.6.6

v0.53.6.7

v0.53.6.x

v0.53.7

v0.53.7.1

v0.53.7.2

v0.53.7.3

v0.53.7.4

v0.53.7.5

v0.53.7.6

v0.53.7.x

v0.53.8

v0.53.8.1

v0.53.8.2

v0.53.8.3

v0.53.8.4

v0.53.8.5

v0.9-final

v1.*

v1.40.0

v1.40.0-rc2

v1.41.0-RC1

v1.42.0-preview1

v1.42.0-rc2

v1.43.0-rc1

v1.44.0-RC1

v1.45.0-RC1

v1.45.0-RC2

v1.47.0-RC1

v1.48.0-RC1

v1.52.0-beta

v1.52.0.1-beta

v1.52.0.2-beta

v1.52.0.3-beta

v1.52.0.4-beta

v1.52.0.5-beta

v1.52.1

v1.52.1.1

v1.52.1.2

v1.52.1.3

v1.52.2

v1.52.2.1

v1.52.2.2

v1.52.2.3

v1.52.2.4

v1.52.2.5

v1.52.5.x

v1.52.x

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30371.json"