CVE-2021-41277

Published: Nov 17, 2021

Modified: Oct 21, 2025

PUBLISHED

CVSS v3.1

10.0

CRITICAL

Description

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.

Vendor	Product	Versions
metabase	metabase	affected `< 0.40.5` affected `>= 1.0.0, < 1.40.5`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

References

https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr

x_refsource_CONFIRM

https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-41277

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References