CVE-2025-30371
LOWMetabase <0.52.16.4, <1.52.16.4, <0.53.8, <1.53.8 - SSRF
Title source: llmDescription
Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98
Scores
CVSS v4
2.1
EPSS
0.0034
EPSS Percentile
25.2%
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-59
Status
published
Products (4)
metabase/metabase
< 0.52.16.4
metabase/metabase
< 0.53.8
metabase/metabase
< 1.52.16.4
metabase/metabase
< 1.53.8
Published
Mar 28, 2025
Tracked Since
Feb 18, 2026