Insufficient Connection Purge in Metabase for Snowflake Integration
CVE-2025-32382

1.8LOW

Key Information:

Vendor: Metabase
Status: Metabase
Vendor: CVE Published:; 10 April 2025

What is CVE-2025-32382?

Metabase, an open-source Business Intelligence and Embedded Analytics tool, has a vulnerability where it fails to thoroughly purge outdated Snowflake connection details from its application database when administrators update connection settings. This flaw arises during the connection method validation phase, allowing certain connection details, including sensitive information such as usernames and passwords, to be improperly logged and potentially exposed. Updates in releases 52.17.1, 53.9.5, and 54.1.5 address this issue by ensuring that obsolete connection details are adequately purged from the database. Users operating on version 51 or earlier are not affected.

Affected Version(s)

metabase >= 0.52.12, < 0.52.17.1 < 0.52.12, 0.52.17.1

metabase >= 1.52.12, < 1.52.17.1 < 1.52.12, 1.52.17.1

metabase >= 0.53.2.3, < 0.53.9.5 < 0.53.2.3, 0.53.9.5

References

https://github.com/metabase/metabase/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

1.8

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Apr 10, 2025
Vulnerability Reserved
Apr 6, 2025