VYPR
Low severityOSV Advisory· Published Mar 28, 2025· Updated Apr 15, 2026

CVE-2025-30371

CVE-2025-30371

Description

Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Metabase/MetabaseOSV2 versions
    0.10.3, 0.34.0-rc1, blah, …+ 1 more
    • (no CPE)range: 0.10.3, 0.34.0-rc1, blah, …
    • (no CPE)range: < 0.52.16.4, < 1.52.16.4, < 0.53.8, < 1.53.8

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.