Vulnerability Description
Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-30371?
CVE-2025-30371 is a documented vulnerability. Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJs...
How severe is CVE-2025-30371?
CVSS scoring is not yet available for CVE-2025-30371. Check NVD for updates.
Is there a patch for CVE-2025-30371?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.