Budibase Unrestricted Server-Side Request Forgery Vulnerability Allowing Internal Service Access and OAuth2 Token Theft

A server-side request forgery (SSRF) vulnerability has been identified in Budibase versions through 3.30.6. The issue arises in the REST datasource query preview endpoint, which accepts user-supplied URLs without proper validation. This flaw allows authenticated admin users to access internal services not exposed to the internet, such as cloud metadata endpoints (AWS, GCP, Azure), internal databases, Kubernetes APIs, and other pods on the internal network. Exploiting this vulnerability on GCP can lead to theft of OAuth2 tokens with full access to GCP services. Additionally, the vulnerability enables comprehensive enumeration of internal network services.

Impact

Exploitation of this vulnerability allows authenticated admin users to make the Budibase server send HTTP requests to any network-reachable address. This has been confirmed to result in theft of GCP OAuth2 tokens with full access to GCP services, access to internal databases such as CouchDB, enumeration of internal services like MinIO and Redis, and access to the Kubernetes API server using the pod's service account token.

Reproduction

To reproduce this vulnerability, an authenticated admin user can send a POST request to the '/api/queries/preview' endpoint. The request must include a 'fields.path' parameter with a URL pointing to an internal service or cloud metadata endpoint. Budibase will then make a server-side HTTP request to the specified URL, bypassing any necessary validation. This can be done by first obtaining a session token through the login endpoint, then retrieving a REST datasource ID, and finally sending the SSRF request with the desired internal URL.