Budibase Path Traversal Vulnerability in Plugin File Upload Allows Arbitrary File Write and Directory Deletion

A path traversal vulnerability has been identified in Budibase, an open-source low-code platform, prior to version 3.33.4. The issue arises in the plugin file upload endpoint, which directly passes user-supplied filenames to a function that creates temporary directories, without proper sanitization. This flaw allows an attacker with Global Builder privileges to craft a multipart upload that includes path traversal sequences, enabling them to delete arbitrary directories and write files to any accessible path on the filesystem via tarball extraction. The vulnerability has been patched in version 3.33.4.

Impact

Exploitation of this vulnerability allows for arbitrary directory deletion and file writing. The uploaded tarball can overwrite application code, configuration, or system files. Additionally, in containerized Budibase deployments where Node.js runs as root, this could lead to remote code execution by manipulating startup scripts or application code.

Reproduction

To reproduce this vulnerability, upload a tarball file through the plugin upload API that includes a filename with path traversal sequences, such as '../../etc/target.tar.gz'. The server will extract the tarball contents to the traversed path, demonstrating the directory traversal and arbitrary file write capabilities.

Remediation

Users are advised to update to Budibase version 3.33.4 or later, where this vulnerability has been fixed.