CVE-2025-5895 is a medium-severity vulnerability identified in Metabase version 54.10, specifically within the frontend component located at frontend/src/metabase/lib/dom.js in the parseDataUri function. The issue arises from inefficient regular expression complexity, which can lead to excessive CPU consumption when processing specially crafted input. This type of vulnerability is commonly known as a Regular Expression Denial of Service (ReDoS). An attacker can exploit this remotely without requiring authentication or user interaction, by sending maliciously crafted data URIs that trigger the inefficient regex evaluation. The vulnerability does not compromise confidentiality, integrity, or availability directly but can degrade service availability by exhausting server resources, potentially leading to denial of service conditions. The vulnerability has been publicly disclosed, and a patch identified by commit 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0 is available to remediate the issue. The CVSS 4.0 score is 5.3, reflecting a medium severity level, with an attack vector of network, low attack complexity, no privileges or user interaction required, and limited impact on availability. No known exploits are currently observed in the wild, but the public disclosure increases the risk of exploitation attempts.

For European organizations using Metabase 54.10, this vulnerability poses a risk primarily to service availability. Metabase is a popular open-source business intelligence tool used for data visualization and analytics. Organizations relying on Metabase for critical reporting and decision-making could experience service disruptions if an attacker exploits this vulnerability to trigger resource exhaustion. This could lead to degraded performance or temporary denial of service, impacting business continuity and operational efficiency. While the vulnerability does not directly expose sensitive data or allow unauthorized data modification, the potential downtime or instability could indirectly affect compliance with data availability requirements under regulations such as GDPR. Additionally, organizations in sectors with high reliance on data analytics, such as finance, healthcare, and manufacturing, may face operational risks if Metabase services become unavailable.

European organizations should promptly apply the patch identified by commit 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0 to upgrade Metabase beyond version 54.10. In addition to patching, organizations should implement input validation and rate limiting on endpoints that process data URIs to reduce the risk of resource exhaustion. Deploying Web Application Firewalls (WAFs) with rules to detect and block suspiciously complex regular expression patterns or malformed data URIs can provide an additional layer of defense. Monitoring system resource usage and setting alerts for unusual CPU spikes in Metabase servers can help detect exploitation attempts early. Organizations should also consider isolating Metabase instances in segmented network zones to limit the blast radius of potential attacks. Regularly reviewing and updating incident response plans to include scenarios involving denial of service via application-layer vulnerabilities is recommended.