Inefficient Regular Expression Complexity in Metabase's parseDataUri Function
CVE-2025-5895

5.3MEDIUM

Key Information:

Vendor

Metabase

Status
Metabase
Vendor
CVE Published:
9 June 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-5895?

A vulnerability exists in Metabase version 54.10 that affects the function parseDataUri located in frontend/src/metabase/lib/dom.js. This issue arises from inefficient regular expression complexity, enabling potential attackers to exploit the vulnerability remotely. The specific manipulation may lead to performance degradation and can be leveraged in an attack scenario. A patch has been created to address this vulnerability, and it is highly recommended for users to apply this fix to enhance security.

Affected Version(s)

Metabase 54.10

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-5895 - Proof of Concept

References

https://vuldb.com/?id.311667
vdb-entrytechnical-description
https://vuldb.com/?ctiid.311667
signaturepermissions-required
https://vuldb.com/?submit.585795
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

mmmsssttt (VulDB User)
.
CVE-2025-5895 : Inefficient Regular Expression Complexity in Metabase's parseDataUri Function