← back
CVE-2025-5895

Metabase dom.js parseDataUri redos

CVSS 5.3 MEDIUMEPSS 0.5%CWE-1333CWE-400
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
09 Jun 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
n/a · Metabase

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/metabase/metabase/commit/4454ebbdc7719016bf80ca0f34859ce5cee9f6b0https://github.com/metabase/metabase/pull/57011https://github.com/metabase/metabase/pull/57011#pullrequestreview-2792664135https://vuldb.com/?ctiid.311667https://vuldb.com/?id.311667https://vuldb.com/?submit.585795