What is the severity of CVE-2025-30371?

CVE-2025-30371 has a medium severity rating, indicating a potential risk for unauthorized access to sensitive data.

How do I fix CVE-2025-30371?

To fix CVE-2025-30371, update your Metabase instance to version 0.52.16.4, 1.52.16.4, 0.53.8, or 1.53.8 or higher.

Who is affected by CVE-2025-30371?

Self-hosted Metabase instances utilizing the GeoJson feature prior to the specified versions are affected by CVE-2025-30371.

What does CVE-2025-30371 exploit?

CVE-2025-30371 exploits the circumvention of local link access protection in the GeoJson endpoint.

Is there a workaround for CVE-2025-30371?

Currently, there is no documented workaround for CVE-2025-30371; upgrading to the patched versions is recommended.

Vulnerability/
CVE-2025-30371

low

2.1

CWE

EPSS

0.042%

28/3/2025

CVE-2025-30371: Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint

First published: Fri Mar 28 2025(Updated: 5 days ago)

Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Metabase	<0.52.16.4<1.52.16.4<0.53.8<1.53.8

Never miss a vulnerability like this again

Reference Links

https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98

Frequently Asked Questions

What is the severity of CVE-2025-30371?
CVE-2025-30371 has a medium severity rating, indicating a potential risk for unauthorized access to sensitive data.
How do I fix CVE-2025-30371?
To fix CVE-2025-30371, update your Metabase instance to version 0.52.16.4, 1.52.16.4, 0.53.8, or 1.53.8 or higher.
Who is affected by CVE-2025-30371?
Self-hosted Metabase instances utilizing the GeoJson feature prior to the specified versions are affected by CVE-2025-30371.
What does CVE-2025-30371 exploit?
CVE-2025-30371 exploits the circumvention of local link access protection in the GeoJson endpoint.
Is there a workaround for CVE-2025-30371?
Currently, there is no documented workaround for CVE-2025-30371; upgrading to the patched versions is recommended.

collector/mitre-cve
source/MITRE
agent/title
agent/references
agent/weakness
agent/first-publish-date
agent/type
agent/description
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
agent/author
agent/severity
agent/event
collector/nvd-api
source/NVD
agent/last-modified-date
collector/epss-latest
source/FIRST
agent/source
agent/tags
agent/epss
vendor/metabase
canonical/metabase

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.