Budibase Server-Side Request Forgery Vulnerability in Automation Execute Query Step

A server-side request forgery (SSRF) vulnerability has been identified in Budibase versions prior to 3.39.0. The issue arises in the executeQuery automation step, where the queryId is accepted from automation inputs and passed directly to the query execution controller without proper validation. This flaw can be exploited by an authenticated user with builder-level access, allowing them to create a REST datasource that targets internal infrastructure. When the automation is executed, the Budibase server makes outbound HTTP requests to the specified internal destinations, potentially exposing sensitive internal service data. The vulnerability is particularly concerning in environments where builder access is granted to partially trusted users and where network controls do not restrict outbound HTTP from the Budibase server.

Impact

Exploitation of this vulnerability allows for unauthorized HTTP requests to internal network endpoints from the Budibase server, with the potential to access and expose sensitive internal data. However, the impact is limited to environments where builder access is granted to partially trusted users and where network controls do not restrict outbound HTTP from the Budibase server.

Reproduction

To reproduce this vulnerability, an authenticated user with builder-level access can create a REST datasource targeting an internal endpoint, such as a cloud metadata service. After setting up the datasource, the user can create a query that references it and then create an automation that includes an Execute Query step referencing the query. When the automation is triggered, the Budibase server will make an HTTP request to the internal endpoint, and the response will be returned in the automation output.

Remediation

Users are advised to update Budibase to version 3.39.0 or later, where this vulnerability has been fixed.