CVE-2025-30371

LOW

Metabase <0.52.16.4, <1.52.16.4, <0.53.8, <1.53.8 - SSRF

Title source: llm

Description

Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.

References (1)

[Vendor Advisory] https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98

Scores

CVSS v4 2.1

EPSS 0.0046

EPSS Percentile 63.9%

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-59

Status published

Products (4)

metabase/metabase < 0.52.16.4

metabase/metabase < 0.53.8

metabase/metabase < 1.52.16.4

metabase/metabase < 1.53.8

Published Mar 28, 2025

Tracked Since Feb 18, 2026