Mapbox Security Bulletins

Millions of people touch Mapbox every month. That's why we are committed to creating the most secure and privacy-minded mapping and location platform in the world.

Recent vulnerabilities discovered

Tiles from wrong tilesets appearing on custom raster maps

May 12, 2021

Summary:

In six short lived events from February 26, 2021 through March 1, 2021, a small number of requests on the Raster Tiles API incorrectly served raster tiles from another tileset. As a result individual tiles from a customer’s tileset would have been incorrectly sent to another user. During each of these events less than two out of a million requests would have been sent incorrect data.

Affected:

Mapbox Tiles API
Learn more
  →

Mapbox Android SDK - Switch to Local Broadcast Manager

March 21, 2017

Summary:

Mapbox Android SDK v4.0.0 through v4.2.0 use Broadcast Receiver for location services requests instead of the Local Broadcast Manager. The Local Broadcast Manager offers more granular control of broadcast permissions, as well as performance enhancements.

Affected:

Mapbox Android SDK v4.0.0 through v4.2.0
Learn more
  →

Mapbox.js - XSS via share control

January 12, 2016

Summary:

When the share control of a mapbox.js map is clicked, arbitrary script content will execute if a malicious user has injected script content into the name property of TileJSON data.

Affected:

Mapbox.js v2.2.3 and earlier
Mapbox.js v1.6.4 and earlier
Learn more
  →

Mapbox.js - XSS via attribution control

October 24, 2015

Summary:

When a Mapbox.js map is loaded, malicious scripts will execute if the script content is inserted into the attribution property of TileJSON data.

Affected:

Mapbox.js v2.1.6 and earlier
Mapbox.js v1.6.4 and earlier
Learn more
  →