CVE-2025-5895: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in Metabase version 54.10 (CVE-2025-5895) affecting the parseDataUri function in the frontend/src/metabase/lib/dom.js file. The vulnerability is classified as an inefficient regular expression complexity issue that could lead to potential Denial of Service (DoS) attacks. The vulnerability was discovered and disclosed in June 2025, with a patch being made available through commit 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0 (Metabase Commit, Metabase PR).

The vulnerability stems from an inefficient regular expression implementation in the parseDataUri function. The original regex pattern could be exploited through specially crafted input strings, potentially leading to excessive CPU usage and application freezing. The vulnerability has been assigned a CVSS v4.0 score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P, and a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability can result in Denial of Service conditions through excessive CPU consumption when processing maliciously crafted input strings. This could affect the availability of the Metabase application, potentially disrupting normal operations and service availability (Metabase PR).

A fix has been implemented and is available through patch 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. The patch modifies the regular expression pattern to prevent potential ReDoS attacks. Users are strongly recommended to upgrade to the patched version of Metabase (Metabase Commit).