Budibase Path Traversal Vulnerability in PWA ZIP Processing Endpoint Allows Arbitrary File Read

A path traversal vulnerability has been identified in Budibase versions through 3.31.5, specifically in the Progressive Web App (PWA) ZIP processing endpoint (POST /api/pwa/process-zip). This vulnerability allows authenticated users with builder privileges to read arbitrary files from the server filesystem. Exploitation of this vulnerability can lead to the exfiltration of sensitive environment variables, including JWT secrets, database credentials, encryption keys, and API tokens. The issue arises because the server processes user-controlled input from icons.json within uploaded ZIP files without proper validation, allowing attackers to specify paths that traverse the directory structure and access sensitive files. The extracted file contents are then uploaded to an object store (MinIO/S3) where they can be accessed through signed URLs, resulting in a complete compromise of the Budibase platform.

Impact

Exploitation of this vulnerability allows for critical arbitrary file read, leading to a complete compromise of the Budibase platform. All environment secrets, including JWT signing keys, database passwords, encryption keys, and API tokens, can be exfiltrated in a single request. On Budibase Cloud, this access to production secrets enables cross-tenant data access, affecting all customers.

Reproduction

To reproduce this vulnerability, an authenticated Budibase account with builder privileges is required. After logging in, upload a ZIP file containing a crafted icons.json file that includes paths to sensitive files such as /proc/1/environ and /etc/passwd. The server will process the ZIP file, read the specified files, and upload their contents to the object store. Finally, retrieve the exfiltrated data through the application's manifest endpoint, which provides signed URLs for accessing the uploaded file contents.