Budibase Server-Side Request Forgery Vulnerability via Inadequate URL Validation in Plugin Upload

A server-side request forgery (SSRF) vulnerability has been identified in Budibase, an open-source low-code platform, in versions prior to 3.35.10. The issue arises in the Plugin URL upload endpoint (POST /api/plugin), where the URL validation relies on a simplistic substring check for '.tar.gz'. This flawed validation allows any URL containing '.tar.gz' to bypass scrutiny and be processed without proper checks on the host, scheme, or path. While Budibase's default SSRF blacklist blocks access to private IP ranges, this vulnerability can still be exploited in two scenarios: first, by bypassing the blacklist when it is empty, and second, by exploiting HTTP redirects from external URLs to internal targets, a behavior that can be manipulated to access restricted resources.

Impact

Exploitation of this vulnerability can lead to unauthorized access to internal services and sensitive data, such as AWS, GCP, or Azure IMDS metadata, CouchDB databases, Redis session tokens, or other internal network services, depending on the crafted URL used in the attack.

Reproduction

To reproduce this vulnerability, upload a URL that contains '.tar.gz' in the path, such as one pointing to an internal service or a private IP address, through the Plugin URL upload endpoint. If the Budibase instance has the 'BLACKLIST_IPS' variable set to bypass the default SSRF protections, the request will succeed, demonstrating the vulnerability.

Remediation

Users are advised to update to Budibase version 3.35.10 or later, where this vulnerability has been fixed.