CVE-2025-30371

CVE-2025-30371 is a low-severity vulnerability with a CVSS 4.0 base score of 2.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-59.

Key facts

Description

Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.

Frequently asked questions

What is CVE-2025-30371?
Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.
How severe is CVE-2025-30371?
CVE-2025-30371 has a CVSS 4.0 base score of 2.1, rated low severity.
Is CVE-2025-30371 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (32nd percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-30371?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-30371 have an EU (EUVD) identifier?
Yes. CVE-2025-30371 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-14803.
When was CVE-2025-30371 published?
CVE-2025-30371 was published on 2025-03-28 and last updated on 2026-06-17.

References

Other CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities

Browse all CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities →