CVE-2021-41277
Detail
Description
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Metrics
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
CVSS 4.0 Severity and Vector Strings:
NVD assessment
not yet provided.
CVSS 3.x Severity and Vector Strings:
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0 Severity and Vector Strings:
Vector:
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected].
This CVE is in CISA's Known Exploited Vulnerabilities Catalog
Reference
CISA's BOD 22-01 and Known
Exploited Vulnerabilities Catalog for further guidance and requirements.
| Vulnerability Name |
Date Added |
Due Date |
Required Action |
| Metabase GeoJSON API Local File Inclusion Vulnerability |
11/12/2024 |
12/03/2024 |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
Weakness Enumeration
| CWE-ID |
CWE Name |
Source |
|
CWE-22
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
👁 cwe source acceptance level
NIST
CISA-ADP
|
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor |
GitHub, Inc.
|
Change History
15 change records found show changes
CVE Modified by CISA-ADP
6/17/2026 12:08:13 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Affected |
[{"vendor":"metabase","product":"metabase","defaultStatus":"unknown","cpes":["cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*"],"versions":[{"version":"0","lessThan":"0.40.5","versionType":"custom","status":"affected"},{"version":"1.0.0","lessThan":"1.40.5","versionType":"custom","status":"affected"}]},{"vendor":"metabase","product":"metabase","defaultStatus":"unknown","cpes":["cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*"],"versions":[{"version":"0","lessThan":"0.40.5","versionType":"custom","status":"affected"},{"version":"1.0.0","lessThan":"1.40.5","versionType":"custom","status":"affected"}]}]
|
| Added |
SSVC |
{"timestamp":"2025-08-20T03:56:21.253891Z","id":"CVE-2021-41277","options":[{"exploitation":"active"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}
|
CVE Modified by GitHub, Inc.
6/17/2026 12:08:13 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Affected |
[{"vendor":"metabase","product":"metabase","versions":[{"version":"< 0.40.5","status":"affected"},{"version":">= 1.0.0, < 1.40.5","status":"affected"}]}]
|
Modified Analysis by NIST
10/24/2025 10:47:07 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference Type |
CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41277 Types: US Government Resource
|
CVE Modified by CISA-ADP
10/21/2025 8:17:45 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41277
|
CVE Modified by CISA-ADP
10/21/2025 4:18:48 PM
| Action |
Type |
Old Value |
New Value |
| Removed |
Reference |
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41277
|
CVE Modified by CISA-ADP
10/21/2025 3:19:22 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41277
|
Modified Analysis by NIST
2/18/2025 9:44:41 AM
| Action |
Type |
Old Value |
New Value |
CVE Modified by CVE
11/21/2024 1:25:56 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0
|
| Added |
Reference |
https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
|
Modified Analysis by NIST
11/14/2024 10:26:17 AM
| Action |
Type |
Old Value |
New Value |
| Changed |
CPE Configuration |
OR
*cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:*:*:*:*
|
OR
*cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:-:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:-:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:-:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:-:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:-:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:enterprise:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:enterprise:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:enterprise:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:enterprise:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:enterprise:*:*:*
|
| Changed |
Reference Type |
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 Patch, Third Party Advisory
|
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 Patch
|
| Changed |
Reference Type |
https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr Third Party Advisory
|
https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr Mitigation, Third Party Advisory
|
CVE Modified by CISA-ADP
11/13/2024 10:35:02 AM
| Action |
Type |
Old Value |
New Value |
| Added |
CVSS V3.1 |
CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| Added |
CWE |
CISA-ADP CWE-22
|
CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
11/12/2024 9:00:01 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Date Added |
2024-11-12
|
| Added |
Due Date |
2024-12-03
|
| Added |
Required Action |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
|
| Added |
Vulnerability Name |
Metabase GeoJSON API Local File Inclusion Vulnerability
|
CVE Modified by GitHub, Inc.
5/14/2024 5:28:37 AM
| Action |
Type |
Old Value |
New Value |
CVE Modified by GitHub, Inc.
11/06/2023 10:38:54 PM
| Action |
Type |
Old Value |
New Value |
| Changed |
Description |
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
|
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
|
Reanalysis by NIST
7/17/2023 11:16:19 AM
| Action |
Type |
Old Value |
New Value |
| Added |
CWE |
NIST CWE-22
|
| Removed |
CWE |
NIST CWE-20
|
Initial Analysis by NIST
11/23/2021 9:48:23 AM
| Action |
Type |
Old Value |
New Value |
| Added |
CVSS V3.1 |
NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| Added |
CVSS V2 |
NIST (AV:N/AC:L/Au:N/C:P/I:N/A:N)
|
| Added |
CWE |
NIST CWE-20
|
| Added |
CPE Configuration |
OR
*cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:*:*:*:*
*cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:*:*:*:*
|
| Changed |
Reference Type |
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 No Types Assigned
|
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 Patch, Third Party Advisory
|
| Changed |
Reference Type |
https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr No Types Assigned
|
https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr Third Party Advisory
|
Quick Info
CVE Dictionary Entry: CVE-2021-41277 NVD
Published Date: 11/17/2021 NVD
Last Modified: 06/17/2026
Source: GitHub, Inc.
|
