Metabase Subscription Webhook Vulnerability Allowing Internal Address Access

A vulnerability exists in self-hosted Metabase instances prior to versions 55.13, 56.3, and 57.1, that allow users to create subscriptions. These instances could be affected if they are colocated with other unsecured resources. The vulnerability could be exploited to reach internal local addresses by using the channel test endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal local addresses, potentially allowing for further attacks on unsecured resources.

Reproduction

To reproduce this vulnerability, deploy a self-hosted Metabase instance that is prior to the patched versions and allows users to create subscriptions. Then, run a local HTTP server or use netcat to listen on a local IP address. In Metabase, navigate to 'Admin' -> 'Notification channel' -> 'Webhooks for alerts'. Add a webhook and enter the local IP address in the 'Webhook url' form field. Send a test, which will reach the internal address via the webhook.

Remediation

Users can upgrade to Metabase versions 55.13, 56.3, or 57.1. Alternatively, Metabase can be migrated to Metabase Cloud or redeployed in a dedicated subnet with strict outbound port controls.