CVE-2025-52455 Overview
CVE-2025-52455 is a Server-Side Request Forgery (SSRF) vulnerability affecting Salesforce Tableau Server on Windows and Linux platforms. The flaw resides in the EPS Server modules and enables Resource Location Spoofing. Attackers can send crafted requests over the network without authentication or user interaction to induce the server into making requests to unintended destinations.
The vulnerability affects Tableau Server versions before 2025.1.3, before 2024.2.12, and before 2023.3.19. It is tracked under CWE-918: Server-Side Request Forgery.
Critical Impact
Unauthenticated network attackers can abuse the EPS Server modules to spoof resource locations and access internal endpoints reachable from the Tableau Server host.
Affected Products
- Tableau Server on Windows (versions before 2025.1.3, 2024.2.12, and 2023.3.19)
- Tableau Server on Linux (versions before 2025.1.3, 2024.2.12, and 2023.3.19)
- EPS Server modules within Tableau Server
Discovery Timeline
- 2025-07-25 - CVE-2025-52455 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-52455
Vulnerability Analysis
The vulnerability exists in the EPS Server modules of Tableau Server. The server accepts URL or resource location parameters without sufficient validation of the destination. Attackers can supply a controlled target address, and the server will initiate outbound requests to that address on their behalf.
This Resource Location Spoofing behavior enables attackers to interact with services that are not directly exposed to the public network. The confidentiality impact is limited to information the Tableau Server can reach, while integrity and availability remain unaffected according to the published CVSS vector.
Root Cause
The root cause is insufficient validation of user-supplied URLs or resource identifiers processed by the EPS Server modules. The server does not enforce an allow-list of destinations or block requests to internal IP ranges, loopback addresses, and cloud metadata endpoints. This missing input validation aligns with CWE-918.
Attack Vector
An unauthenticated remote attacker sends HTTP requests to the vulnerable Tableau Server endpoints. The request contains a manipulated resource location parameter pointing to an internal service, such as http://127.0.0.1, an internal IP range, or a cloud instance metadata service. The Tableau Server processes the request and issues an outbound connection to the attacker-controlled target, returning response data or side effects to the requester. No verified public exploit code or proof-of-concept is available for this vulnerability at the time of publication. Refer to the Salesforce Help Article for vendor-supplied technical details.
Detection Methods for CVE-2025-52455
Indicators of Compromise
- Outbound HTTP requests from Tableau Server processes to internal IP ranges, loopback interfaces, or cloud metadata endpoints such as 169.254.169.254.
- Unusual request patterns targeting EPS Server module endpoints with URL parameters pointing to non-standard hosts.
- Access log entries containing crafted resource location parameters originating from unauthenticated sessions.
Detection Strategies
- Inspect Tableau Server access logs for requests to EPS Server module endpoints containing URL-encoded internal addresses.
- Correlate Tableau Server host network telemetry with expected outbound destinations and alert on deviations.
- Deploy web application firewall rules that block SSRF payloads referencing private address space or metadata service hostnames.
Monitoring Recommendations
- Enable verbose logging on Tableau Server EPS modules and forward logs to a centralized SIEM for retention and analysis.
- Monitor egress network traffic from Tableau Server hosts and baseline expected outbound connections.
- Alert on any Tableau Server initiated connection to cloud metadata endpoints or RFC1918 addresses outside documented integrations.
How to Mitigate CVE-2025-52455
Immediate Actions Required
- Upgrade Tableau Server to version 2025.1.3, 2024.2.12, or 2023.3.19 or later based on your release branch.
- Restrict outbound network access from Tableau Server hosts using host-based firewalls or network segmentation.
- Review Tableau Server access logs for prior exploitation attempts targeting EPS Server endpoints.
Patch Information
Salesforce has released fixed versions in the 2025.1, 2024.2, and 2023.3 branches. Administrators should apply Tableau Server 2025.1.3, 2024.2.12, or 2023.3.19 or later. See the Salesforce Help Article for official patch guidance.
Workarounds
- Place Tableau Server behind an egress proxy that blocks requests to internal IP ranges and cloud metadata services.
- Apply network-level egress filtering to deny Tableau Server outbound access to 169.254.169.254, 127.0.0.0/8, and RFC1918 ranges not required for operation.
- Restrict access to EPS Server module endpoints through reverse proxy allow-lists until patching is complete.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

