CVE-2025-52453 Overview
CVE-2025-52453 is a Server-Side Request Forgery (SSRF) vulnerability affecting Salesforce Tableau Server on Windows and Linux. The flaw resides in the Flow Data Source modules and enables Resource Location Spoofing. Authenticated attackers can coerce the server into issuing crafted requests to internal or unintended network resources. The vulnerability impacts Tableau Server versions before 2025.1.3, before 2024.2.12, and before 2023.3.19.
Critical Impact
Successful exploitation allows attackers to spoof resource locations and pivot to internal systems otherwise inaccessible from the public network, with high impact to confidentiality and integrity.
Affected Products
- Tableau Server on Windows (versions before 2025.1.3, 2024.2.12, 2023.3.19)
- Tableau Server on Linux (versions before 2025.1.3, 2024.2.12, 2023.3.19)
- Flow Data Source modules within affected Tableau Server builds
Discovery Timeline
- 2025-07-25 - CVE-2025-52453 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2025-52453
Vulnerability Analysis
The vulnerability is classified under [CWE-918] Server-Side Request Forgery. The Flow Data Source modules in Tableau Server accept user-controlled input that influences outbound request destinations. Insufficient validation of these inputs allows an attacker to direct the server to make HTTP requests to arbitrary endpoints.
The attack requires network access and low-privilege authentication. While attack complexity is high, successful exploitation crosses a security scope boundary, affecting resources beyond the vulnerable component. Attackers can read responses from internal services, query cloud metadata endpoints, or interact with internal APIs that trust the Tableau Server host.
Root Cause
The root cause is improper validation of URLs and resource locations submitted to Flow Data Source modules. The server processes these inputs without enforcing allow-lists, schema restrictions, or network segmentation checks. This permits Resource Location Spoofing, where the requested resource identifier resolves to attacker-chosen destinations.
Attack Vector
An authenticated user with permission to create or edit Flow data sources submits a crafted resource location pointing to an internal service. Tableau Server processes the flow and issues a server-side request to the supplied target. Responses or response metadata can leak back to the attacker, enabling reconnaissance and data extraction from internal segments.
The vulnerability mechanism centers on missing destination validation in the Flow Data Source request handler. Refer to the Salesforce Help Article for vendor-supplied technical details.
Detection Methods for CVE-2025-52453
Indicators of Compromise
- Outbound HTTP requests from Tableau Server hosts to internal IP ranges, link-local addresses (169.254.169.254), or loopback interfaces
- Flow Data Source definitions referencing unusual URLs, non-standard ports, or internal hostnames
- Unexpected authentication failures or 4xx/5xx responses in internal service logs originating from the Tableau Server source IP
- Spikes in Flow execution activity from low-privilege user accounts
Detection Strategies
- Inspect Tableau Server application and proxy logs for Flow Data Source operations referencing private network ranges (RFC1918), cloud metadata endpoints, or unexpected URL schemes
- Correlate Flow creation events with subsequent outbound network connections from the server
- Deploy network egress monitoring to flag connections from Tableau hosts to resources outside the documented data source allow-list
Monitoring Recommendations
- Forward Tableau Server logs and host network telemetry to a centralized analytics platform for behavioral baselining
- Alert on any Tableau-initiated requests to cloud instance metadata services (IMDS) or internal management interfaces
- Audit Flow Data Source configurations on a recurring schedule and review changes made by non-administrative accounts
How to Mitigate CVE-2025-52453
Immediate Actions Required
- Upgrade Tableau Server to version 2025.1.3, 2024.2.12, or 2023.3.19 or later, depending on your maintenance branch
- Audit existing Flow Data Source definitions for references to internal hosts, metadata endpoints, or unauthorized URLs
- Restrict Flow creation and editing permissions to vetted users until patching is complete
Patch Information
Salesforce has released fixed builds for all supported branches. Apply Tableau Server 2025.1.3, 2024.2.12, or 2023.3.19 from the vendor. See the Salesforce Help Article for download links and upgrade notes.
Workarounds
- Place Tableau Server behind an egress proxy that enforces an allow-list of approved external data source destinations
- Block Tableau Server hosts from reaching cloud instance metadata services and internal management APIs via host-based firewall rules
- Apply IMDSv2 on AWS-hosted Tableau deployments to require session tokens for metadata requests
# Example host-based egress restriction (Linux iptables)
# Block access to AWS/Azure/GCP instance metadata endpoint
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Restrict outbound traffic to a defined allow-list of data source hosts
iptables -A OUTPUT -p tcp -d <approved-datasource-ip> --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

