Budibase Remote Code Execution Vulnerability via Unauthenticated Webhook Trigger

A remote code execution vulnerability has been identified in Budibase, an open-source low-code platform, prior to version 3.33.4. The issue allows an unauthenticated attacker to execute arbitrary commands on the Budibase server as the root user within the application container. This exploitation is achieved by triggering an automation that includes a Bash step, using the public webhook endpoint which lacks authentication. The vulnerability arises because the Bash step can process template variables from the webhook payload, enabling the injection of malicious commands that are executed with elevated privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server as the root user, with potential access to sensitive information and internal services.

Reproduction

To reproduce this vulnerability, an admin must first create and publish an automation that includes a webhook trigger and a Bash step. The Bash step should be configured to use a template variable that can be manipulated, such as `{{ trigger.cmd }}`. Once the automation is published, an unauthenticated user can send a POST request to the webhook endpoint, including a payload that exploits the Bash step by injecting malicious commands. This can be done using a tool like curl.

Remediation

Users can update to Budibase version 3.33.4 or later, where this vulnerability has been patched.