{"id":"CVE-2025-30371","summary":"Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint","details":"Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.","aliases":["GHSA-8xf9-9jc8-qp98"],"modified":"2026-04-10T05:24:46.513732Z","published":"2025-03-28T14:47:36.718Z","database_specific":{"cwe_ids":["CWE-59"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30371.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30371.json"},{"type":"ADVISORY","url":"https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30371"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/metabase/metabase","events":[{"introduced":"0"},{"fixed":"dd8fb9bb9d4b099e5e16aa6f77b29f0966c5c46b"},{"fixed":"b6c06678a6b07f3fd87c3b56138ede0238388cd6"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.52.16.4"},{"fixed":"0.53.8"}]}}],"versions":["0.10.3","0.34.0-rc1","blah","embedding-sdk-0.1.0","embedding-sdk-0.1.10","embedding-sdk-0.1.11","embedding-sdk-0.1.12","embedding-sdk-0.1.13","embedding-sdk-0.1.14","embedding-sdk-0.1.15","embedding-sdk-0.1.16","embedding-sdk-0.1.17","embedding-sdk-0.1.18","embedding-sdk-0.1.19","embedding-sdk-0.1.2","embedding-sdk-0.1.20","embedding-sdk-0.1.21","embedding-sdk-0.1.22","embedding-sdk-0.1.23","embedding-sdk-0.1.24","embedding-sdk-0.1.25","embedding-sdk-0.1.26","embedding-sdk-0.1.27","embedding-sdk-0.1.28","embedding-sdk-0.1.29","embedding-sdk-0.1.30","embedding-sdk-0.1.31","embedding-sdk-0.1.32","embedding-sdk-0.1.33","embedding-sdk-0.1.34","embedding-sdk-0.1.35","embedding-sdk-0.1.36","embedding-sdk-0.1.37","embedding-sdk-0.1.38","embedding-sdk-0.1.4","embedding-sdk-0.1.5","embedding-sdk-0.1.6","embedding-sdk-0.1.7","embedding-sdk-0.1.8","embedding-sdk-0.1.9","embedding-sdk-0.52.1-nightly","embedding-sdk-0.52.10","embedding-sdk-0.52.11","embedding-sdk-0.52.12","embedding-sdk-0.52.13","embedding-sdk-0.52.14","embedding-sdk-0.52.15","embedding-sdk-0.52.16","embedding-sdk-0.52.17","embedding-sdk-0.52.2-nightly","embedding-sdk-0.52.3-nightly","embedding-sdk-0.52.4-nightly","embedding-sdk-0.52.5","embedding-sdk-0.52.5-nightly","embedding-sdk-0.52.6","embedding-sdk-0.52.7","embedding-sdk-0.52.8","embedding-sdk-0.52.9","embedding-sdk-0.53.1-nightly","embedding-sdk-0.53.10","embedding-sdk-0.53.11","embedding-sdk-0.53.12","embedding-sdk-0.53.2","embedding-sdk-0.53.3","embedding-sdk-0.53.4","embedding-sdk-0.53.5","embedding-sdk-0.53.6","embedding-sdk-0.53.7","embedding-sdk-0.53.8","embedding-sdk-0.53.9","embedding-sdk-1.52.1","rm","v0.10.0","v0.10.3","v0.10.4","v0.10.4.1","v0.11.0","v0.11.1","v0.11.2","v0.11.3","v0.12.0","v0.12.0-test","v0.13.0","v0.26.0.RC1","v0.35.0","v0.35.0-rc1","v0.35.0-rc2","v0.36.0-snapshot","v0.37.0-rc2","v0.38.0-preview","v0.38.0-rc1","v0.38.0-rc2","v0.38.0-rc3","v0.38.0-rc4","v0.40.0","v0.40.0-rc1-dan","v0.40.0-rc2","v0.41.0-RC1","v0.42.0-preview1","v0.43.0-rc1","v0.44.0-RC1","v0.45.0-RC1","v0.45.0-RC2","v0.47.0-RC1","v0.48.0-RC1","v0.52.0-beta","v0.52.0.1-beta","v0.52.0.2-beta","v0.52.0.3-beta","v0.52.0.4-beta","v0.52.0.5-beta","v0.52.1","v0.52.1.1","v0.52.1.2","v0.52.1.3","v0.52.10","v0.52.10.1","v0.52.10.2","v0.52.10.x","v0.52.11","v0.52.11.1","v0.52.11.2","v0.52.11.x","v0.52.12","v0.52.12.1","v0.52.12.x","v0.52.13","v0.52.13.1","v0.52.13.x","v0.52.14","v0.52.14.1","v0.52.14.2","v0.52.14.x","v0.52.15","v0.52.15.1","v0.52.15.2","v0.52.15.x","v0.52.16","v0.52.16.1","v0.52.16.2","v0.52.16.3","v0.52.2","v0.52.2.1","v0.52.2.2","v0.52.2.3","v0.52.2.4","v0.52.2.5","v0.52.2.6","v0.52.3","v0.52.3.1","v0.52.3.2","v0.52.3.3","v0.52.3.4","v0.52.3.5","v0.52.3.6","v0.52.4","v0.52.4.1","v0.52.4.2","v0.52.4.3","v0.52.4.4","v0.52.4.5","v0.52.4.6","v0.52.4.7","v0.52.5","v0.52.5.1","v0.52.5.2","v0.52.5.3","v0.52.5.4","v0.52.5.5","v0.52.5.6","v0.52.5.x","v0.52.6","v0.52.6.1","v0.52.6.2","v0.52.6.3","v0.52.6.x","v0.52.7","v0.52.7.1","v0.52.7.2","v0.52.7.3","v0.52.7.4","v0.52.7.x","v0.52.8","v0.52.8.1","v0.52.8.2","v0.52.8.3","v0.52.8.4","v0.52.8.5","v0.52.8.x","v0.52.9","v0.52.9.1","v0.52.9.2","v0.52.9.3","v0.52.9.4","v0.52.9.x","v0.53.0-beta","v0.53.0.1-beta","v0.53.0.2-beta","v0.53.0.3-beta","v0.53.0.4-beta","v0.53.0.x","v0.53.1","v0.53.1.1","v0.53.1.x","v0.53.2","v0.53.2.1","v0.53.2.2","v0.53.2.3","v0.53.2.x","v0.53.3","v0.53.3.1","v0.53.3.2","v0.53.3.3","v0.53.3.4","v0.53.3.5","v0.53.3.6","v0.53.3.x","v0.53.4","v0.53.4.1","v0.53.4.2","v0.53.4.3","v0.53.4.4","v0.53.4.x","v0.53.5","v0.53.5.1","v0.53.5.2","v0.53.5.3","v0.53.5.4","v0.53.5.5","v0.53.5.6","v0.53.5.x","v0.53.6","v0.53.6.1","v0.53.6.2","v0.53.6.3","v0.53.6.4","v0.53.6.5","v0.53.6.6","v0.53.6.7","v0.53.6.x","v0.53.7","v0.53.7.1","v0.53.7.2","v0.53.7.3","v0.53.7.4","v0.53.7.5","v0.53.7.6","v0.53.7.x","v0.53.8","v0.53.8.1","v0.53.8.2","v0.53.8.3","v0.53.8.4","v0.53.8.5","v0.9-final","v1.40.0","v1.40.0-rc2","v1.41.0-RC1","v1.42.0-preview1","v1.42.0-rc2","v1.43.0-rc1","v1.44.0-RC1","v1.45.0-RC1","v1.45.0-RC2","v1.47.0-RC1","v1.48.0-RC1","v1.52.0-beta","v1.52.0.1-beta","v1.52.0.2-beta","v1.52.0.3-beta","v1.52.0.4-beta","v1.52.0.5-beta","v1.52.1","v1.52.1.1","v1.52.1.2","v1.52.1.3","v1.52.2","v1.52.2.1","v1.52.2.2","v1.52.2.3","v1.52.2.4","v1.52.2.5","v1.52.5.x","v1.52.x","v20150601-alpha","v20150603-alpha","v20150604-alpha"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30371.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"}]}