Budibase CouchDB Reduce Injection Vulnerability in V1 Views API

A CouchDB reduce injection vulnerability has been identified in Budibase versions prior to 3.38.1. The issue arises in the V1 Views API (POST /api/views), where the calculation parameter is accepted from the request body and directly interpolated into a CouchDB reduce function definition without proper validation. Although an internal SCHEMA_MAP object outlines valid calculation types (sum, count, stats), this map is not utilized for validation before the value is interpolated. As a result, a user with Builder permissions can inject arbitrary JavaScript code that executes within the CouchDB JavaScript engine when the view is queried.

Impact

Exploitation of this vulnerability allows authenticated users with Builder role permissions to inject arbitrary JavaScript into CouchDB's SpiderMonkey sandbox via the V1 Views API. The injected code executes during view queries, with the potential to access and exfiltrate document data through the reduce function's values parameter. While this vulnerability does not lead to operating system-level remote code execution, the persistence of the injected code in the design document allows for repeated execution with each view query.

Reproduction

To reproduce this vulnerability, send a POST request to the V1 Views API (/api/views) with a crafted calculation parameter that includes injected JavaScript code. Ensure that the request is made with a session cookie that has Builder role permissions. Once the view is created, query it with the group parameter enabled. The injected JavaScript will execute in the CouchDB context, allowing access to the database's document data and the ability to return arbitrary information in the view response.

Remediation

Users can update to Budibase version 3.38.1 or later, where this vulnerability has been fixed.