How ZeroPath Works
Back to Blog

Salesforce Tableau Server CVE-2025-52451 Path Traversal: Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-52451, an absolute path traversal vulnerability in Salesforce Tableau Server's tabdoc API create-data-source-from-file-upload modules. It covers affected versions, technical root cause, and vendor security context based on available public information.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-22

Salesforce Tableau Server CVE-2025-52451 Path Traversal: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Sensitive files on enterprise analytics servers can be exposed with a single crafted API request. Organizations running Tableau Server prior to the latest patch levels are at risk of unauthorized file access due to a critical path traversal vulnerability in the platform's file upload API.

About the involved software: Salesforce is a global leader in enterprise cloud software, with millions of users and a broad portfolio including CRM, analytics, and business intelligence. Tableau, acquired by Salesforce in 2019, is a widely deployed analytics and data visualization platform used by enterprises worldwide for critical business intelligence workloads.

Technical Information

CVE-2025-52451 is an improper input validation vulnerability in Tableau Server's tabdoc API, specifically in the create-data-source-from-file-upload modules. The vulnerability allows absolute path traversal on both Windows and Linux deployments. Attackers can supply crafted file paths in API requests to access arbitrary files on the host system, bypassing intended directory restrictions. The root cause is the failure to properly sanitize and validate user-supplied path parameters in the affected API endpoint. This is categorized under CWE-20 (Improper Input Validation).

No public code snippets or proof of concept have been released for this vulnerability. The issue is network-exploitable and does not require elevated privileges beyond basic API access. Attackers can target the file upload functionality to specify absolute paths, potentially exposing configuration files, credentials, or other sensitive data readable by the Tableau Server process.

Affected Systems and Versions

  • Tableau Server on Windows and Linux
  • Affected versions:
    • All versions before 2025.1.3
    • All versions before 2024.2.12
    • All versions before 2023.3.19
  • The vulnerability exists in the tabdoc API create-data-source-from-file-upload modules

Vendor Security History

Salesforce has previously addressed several critical vulnerabilities in Tableau Server, including:

  • Authorization bypass (CVE-2025-52446, CVE-2025-52447, CVE-2025-52448)
  • Remote code execution via unrestricted file upload (CVE-2025-52449)
  • Path traversal in related API modules (CVE-2025-52452)
  • SSRF and authentication bypass issues in earlier advisories

Salesforce typically issues coordinated advisories and patches across supported branches and communicates directly with administrators. The June 2025 advisory disclosed eight critical vulnerabilities, indicating ongoing challenges with secure input handling and access control in Tableau Server.

References

Detect & fix
what others miss

Get startedBook a demo