What happened

CISA added CVE-2021-41277 (Metabase GeoJSON API Local File Inclusion) to the Known Exploited Vulnerabilities catalog on 2024-11-12 CISA KEV. The listing signals confirmed exploitation in the wild and mandates remediation for U.S. Federal Civilian Executive Branch (FCEB) agencies by 2024-12-03 CISA KEV. The vulnerability allows local file inclusion (LFI) via Metabase’s custom map support that reads GeoJSON-formatted data NVD, MITRE CVE.

CISA’s entry mirrors vendor language and directs defenders to apply mitigations per vendor guidance or discontinue use if mitigations are not available CISA KEV. GitHub’s advisory GHSA-w73v-6p7p-fpfr documents the issue and remediation details for Metabase administrators GitHub Advisory.

Why it matters

LFI reliably converts an internal analytics server into a file oracle, exfiltrating local configuration and secret material from the host OS and application runtime NVD. NVD classifies the weakness under information exposure, aligning with CWE-200, which covers unintended disclosure of sensitive information to an actor that is not explicitly authorized CWE-200, MITRE CVE. In real environments, that often means leaking service credentials and tokens that enable lateral movement well beyond the BI stack NVD.

CISA puts this CVE on a clock for agencies, which is operator-speak for: exploitation is happening now, not theoretical CISA KEV. The KEV note lists “known ransomware campaign use: Unknown,” but the data-theft primitive here is useful across crimeware and APT tradecraft alike CISA KEV.

Technical detail

Per the public records, Metabase’s custom map feature reads GeoJSON data supplied via API to render map visualizations NVD. Improper validation in this path allows an attacker to coerce the application into reading local files from the Metabase server (local file inclusion) and returning their contents as GeoJSON payloads MITRE CVE, GitHub Advisory. This maps cleanly to CWE-200, because the flaw exposes information to a party that should not have access CWE-200.

Attack preconditions are minimal when the Metabase UI/API is reachable: an unauthenticated or low-privileged user can craft requests targeting the GeoJSON input mechanism to force file reads from the host environment NVD. Typical targets include configuration files, service account tokens, and environment-specific secrets that Metabase or its host system rely on, enabling quick privilege escalation and pivoting MITRE CVE. Because the output is delivered via a normal API response, exfiltration blends into application traffic unless you’re inspecting payloads closely NVD.

The GitHub advisory tracks the vendor’s remediation guidance and is the correct reference for administrators to confirm fixed versions and patch steps GitHub Advisory. CISA’s KEV entry binds urgency: patch or mitigate on deadline to close off active threat activity CISA KEV.

Defense

• Patch/upgrade immediately per vendor guidance for CVE-2021-41277 and deploy any published mitigations; if mitigations are unavailable, discontinue use until fixed GitHub Advisory, CISA KEV.
• Enforce strict access controls around Metabase: do not expose the UI/API directly to the Internet; restrict to trusted admin networks or VPN while you remediate NVD.
• Monitor for abuse of the GeoJSON ingestion path: high-rate requests, anomalous parameters, or responses containing structured data that do not correspond to expected maps can indicate LFI NVD, MITRE CVE.
• Validate that secrets on the Metabase host are compartmentalized: rotate credentials and tokens potentially exposed by file reads if compromise is suspected CWE-200.
• For FCEB agencies, track the due date CISA set (2024-12-03) and document completion in accordance with KEV policy requirements CISA KEV.

Lyrie Verdict

This is a quiet data-theft bug with high leverage. LFI through a visualization feature won’t trip a signature unless you’re watching the content, not just the route NVD. Lyrie’s position is simple: treat Metabase’s GeoJSON ingestion path as a high-signal telemetry source and instrument it with machine-speed content inspection tuned to file-exfil patterns (unexpected binary blobs, config-like keys, secret material) derived from CVE-2021-41277’s behavior profile MITRE CVE. Autonomous detectors should auto-quarantine sources generating GeoJSON responses that resemble local file contents, then notify and enrich with host context for rapid credential rotation CWE-200. This is how you preempt rogue-AI-driven scraping: no dwell time, no manual triage window.