CVE-2021-41277: Metabase local file inclusion vulerability alert

Metabase is the easy, open-source way for everyone in your company to ask questions and learn from data. On November 22, 2021, we found that the poc of Metabase local file inclusion vulnerability has been published on the Internet, the vulnerability number is CVE-2021-41277 with the CVSSv3 score of 9.9, the vulnerability level is serious.


Vulnerability Detail

a potential security issue with the custom GeoJSON map (admin->settings->maps->custom maps->add a map) support and potential local file inclusion (including environment variables). Only versions x.40.0-x.40.4 are affected.


In this regard, we recommend that users upgrade Metabase to the latest version in time.


This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that (including x.41+).


If you’re on an affected version (x.40.0-x.40.4), upgrade immediately.

If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF. Here are examples for ALB and Nginx, though it is recommended to block the endpoint /api/geojson completely:


    Path containing /api/geojson

Query string of url is starting with "file:" or ""
Return fixed response 403