CVE-2021-41277

What is Metabase?

Metabase is a popular open-source business intelligence and data analytics platform that allows organizations to query their databases, create dashboards, and visualize data through a web interface. It connects directly to production databases (PostgreSQL, MySQL, MongoDB, etc.) and is often deployed with broad database access credentials. Because Metabase holds database connection credentials and has direct query access to production data stores, vulnerabilities in Metabase that expose server-side file reads or SSRF can lead to credential theft and data exfiltration.

Overview

CVE-2021-41277 is a local file inclusion / server-side request forgery vulnerability (CWE-200) in Metabase's GeoJSON API. The /api/geojson endpoint fetches GeoJSON data from a URL provided in the url parameter to support custom map visualizations in Metabase dashboards. This endpoint does not restrict the URL scheme, allowing an unauthenticated attacker to use file:// URLs to read arbitrary local files from the Metabase server, or use http:// URLs targeting internal network services (SSRF). The CVSS score of 10 (maximum) reflects that this is exploitable without authentication and can expose credentials, configuration files, and internal services. CISA added this to KEV in November 2024.

Affected Versions

Technical Details

The /api/geojson?url=<value> endpoint in Metabase's API allows the server to fetch a GeoJSON file from a URL for use in map visualizations. The endpoint did not validate or restrict the URL scheme:

• Attack vector: Send an unauthenticated GET request to /api/geojson?url=file:///etc/passwd (or any local file path)
• Local file read: The server reads the specified file and returns its contents in the HTTP response
• High-value files: /app/metabase.db/metabase.db (H2 embedded database containing Metabase configuration including database credentials), environment variable files, and application configuration files
• SSRF: Using http:// URLs targets internal services not accessible from the internet — metadata services (AWS IMDSv1), internal APIs, etc.
• Database credential theft: The Metabase H2 database contains connection strings for all configured data sources, including production database credentials
• No authentication required: The endpoint is accessible without any Metabase credentials

Discovery

Reported to Metabase via GitHub Security Advisory process. The vulnerability was straightforward to discover — the GeoJSON endpoint was documented in Metabase's API documentation, making the file:// scheme bypass obvious to security researchers.

Exploitation Context

The three-year gap between patch (November 2021) and CISA KEV addition (November 2024) indicates exploitation against unpatched Metabase instances was confirmed in targeted attack chains. Metabase deployments connected to production databases are high-value targets — extracting the Metabase H2 database gives attackers connection strings and credentials for all configured data sources, enabling direct database access without touching the application layer.

Remediation

1. Upgrade Metabase to v0.41.2 / v1.41.2 or later (or the latest available release)
2. If upgrading is not immediately possible, disable or restrict network access to the Metabase web interface — it should not be publicly accessible
3. Rotate all database credentials stored in Metabase after patching — assume they were read if the instance was internet-accessible during the vulnerable period
4. Review Metabase application logs for requests to /api/geojson with file:// or unusual http:// URLs
5. Restrict outbound HTTP from the Metabase server to known-good GeoJSON data sources (firewall egress filtering)
6. Run Metabase with a dedicated low-privilege OS user and restrict filesystem access to only required directories