Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-52455

CVE-2025-52455: Tableau Server SSRF Vulnerability

CVE-2025-52455 is a server-side request forgery flaw in Tableau Server's EPS Server modules that enables resource location spoofing attacks. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2025-52455 Overview

CVE-2025-52455 is a Server-Side Request Forgery (SSRF) vulnerability affecting Salesforce Tableau Server on Windows and Linux platforms. The flaw resides in the EPS Server modules and enables Resource Location Spoofing. Attackers can send crafted requests over the network without authentication or user interaction to induce the server into making requests to unintended destinations.

The vulnerability affects Tableau Server versions before 2025.1.3, before 2024.2.12, and before 2023.3.19. It is tracked under CWE-918: Server-Side Request Forgery.

Critical Impact

Unauthenticated network attackers can abuse the EPS Server modules to spoof resource locations and access internal endpoints reachable from the Tableau Server host.

Affected Products

  • Tableau Server on Windows (versions before 2025.1.3, 2024.2.12, and 2023.3.19)
  • Tableau Server on Linux (versions before 2025.1.3, 2024.2.12, and 2023.3.19)
  • EPS Server modules within Tableau Server

Discovery Timeline

  • 2025-07-25 - CVE-2025-52455 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-52455

Vulnerability Analysis

The vulnerability exists in the EPS Server modules of Tableau Server. The server accepts URL or resource location parameters without sufficient validation of the destination. Attackers can supply a controlled target address, and the server will initiate outbound requests to that address on their behalf.

This Resource Location Spoofing behavior enables attackers to interact with services that are not directly exposed to the public network. The confidentiality impact is limited to information the Tableau Server can reach, while integrity and availability remain unaffected according to the published CVSS vector.

Root Cause

The root cause is insufficient validation of user-supplied URLs or resource identifiers processed by the EPS Server modules. The server does not enforce an allow-list of destinations or block requests to internal IP ranges, loopback addresses, and cloud metadata endpoints. This missing input validation aligns with CWE-918.

Attack Vector

An unauthenticated remote attacker sends HTTP requests to the vulnerable Tableau Server endpoints. The request contains a manipulated resource location parameter pointing to an internal service, such as http://127.0.0.1, an internal IP range, or a cloud instance metadata service. The Tableau Server processes the request and issues an outbound connection to the attacker-controlled target, returning response data or side effects to the requester. No verified public exploit code or proof-of-concept is available for this vulnerability at the time of publication. Refer to the Salesforce Help Article for vendor-supplied technical details.

Detection Methods for CVE-2025-52455

Indicators of Compromise

  • Outbound HTTP requests from Tableau Server processes to internal IP ranges, loopback interfaces, or cloud metadata endpoints such as 169.254.169.254.
  • Unusual request patterns targeting EPS Server module endpoints with URL parameters pointing to non-standard hosts.
  • Access log entries containing crafted resource location parameters originating from unauthenticated sessions.

Detection Strategies

  • Inspect Tableau Server access logs for requests to EPS Server module endpoints containing URL-encoded internal addresses.
  • Correlate Tableau Server host network telemetry with expected outbound destinations and alert on deviations.
  • Deploy web application firewall rules that block SSRF payloads referencing private address space or metadata service hostnames.

Monitoring Recommendations

  • Enable verbose logging on Tableau Server EPS modules and forward logs to a centralized SIEM for retention and analysis.
  • Monitor egress network traffic from Tableau Server hosts and baseline expected outbound connections.
  • Alert on any Tableau Server initiated connection to cloud metadata endpoints or RFC1918 addresses outside documented integrations.

How to Mitigate CVE-2025-52455

Immediate Actions Required

  • Upgrade Tableau Server to version 2025.1.3, 2024.2.12, or 2023.3.19 or later based on your release branch.
  • Restrict outbound network access from Tableau Server hosts using host-based firewalls or network segmentation.
  • Review Tableau Server access logs for prior exploitation attempts targeting EPS Server endpoints.

Patch Information

Salesforce has released fixed versions in the 2025.1, 2024.2, and 2023.3 branches. Administrators should apply Tableau Server 2025.1.3, 2024.2.12, or 2023.3.19 or later. See the Salesforce Help Article for official patch guidance.

Workarounds

  • Place Tableau Server behind an egress proxy that blocks requests to internal IP ranges and cloud metadata services.
  • Apply network-level egress filtering to deny Tableau Server outbound access to 169.254.169.254, 127.0.0.0/8, and RFC1918 ranges not required for operation.
  • Restrict access to EPS Server module endpoints through reverse proxy allow-lists until patching is complete.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.