Metabase GeoJson Endpoint Local Link Access Protection Bypass Vulnerability

A vulnerability exists in Metabase versions prior to 0.52.16.4, 1.52.16.4, 0.53.8, and 1.53.8, allowing for the circumvention of local link access protection in the GeoJson endpoint. This issue affects self-hosted Metabase instances utilizing the GeoJson feature, particularly if they are colocated with other unsecured resources.

Impact

Exploitation of this vulnerability can lead to unauthorized access to local link resources via the GeoJson endpoint.

Reproduction

To reproduce this vulnerability, use dnsmasq to create local A records with multiple IP addresses, designating one as a local link address. Then, run a local HTTP server or use netcat on the local IP's HTTP port. Retry accessing the GeoJson address until the local server receives an incoming request.

Remediation

Users can upgrade to Metabase versions 0.52.16.4, 1.52.16.4, 0.53.8, or 1.53.8. Alternatively, Metabase can be redeployed in a dedicated subnet with strict outbound port controls.