Budibase Cloud Unsafe eval() Vulnerability in View Filtering Allows Remote Code Execution

A remote code execution vulnerability has been identified in Budibase Cloud versions prior to 3.30.4. This issue arises from an unsafe eval() function in the view filtering implementation, where user-controlled view map functions are executed on the server without proper sanitization. The vulnerability is exclusive to Budibase Cloud (SaaS) deployments, as self-hosted versions utilize native CouchDB views and are not affected. The flaw allows any authenticated user, including those on the free tier, to execute arbitrary JavaScript code on the server. Exploitation of this vulnerability could lead to the extraction of sensitive environment variables, including CouchDB admin credentials, which could then be used to access and enumerate tenant databases, confirming the readability of user records such as email addresses.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with access to sensitive environment variables that can be exploited to access CouchDB databases and user information.

Reproduction

To reproduce this vulnerability, an authenticated user can create a table view in Budibase Cloud with a custom filter that includes malicious JavaScript code. This payload is injected into the view's map function, which is then executed on the server via the eval() function. Once the view is queried, the injected code is executed, achieving remote code execution on the server.

Remediation

Users can update to Budibase version 3.30.4 or later, where this vulnerability has been patched.