Budibase Unvalidated VectorDB Host Parameter Vulnerability Allowing Server-Side Request Forgery

A server-side request forgery (SSRF) vulnerability has been identified in Budibase versions prior to 3.35.3. The issue arises in the VectorDB configuration endpoint, which accepts a host parameter without proper validation against internal IP ranges, reserved hostnames, or URL schemes. This flaw allows any authenticated user with builder-level access to submit arbitrary host values, such as localhost or specific internal IP addresses. As a result, the server may initiate outbound TCP connections to internal network addresses or cloud metadata endpoints on behalf of the user.

Impact

Exploitation of this vulnerability allows an attacker with builder access to use the Budibase server as a proxy to probe internal network services, potentially interact with unauthenticated internal services, and access cloud metadata endpoints that could lead to privilege escalation or lateral movement within the cloud environment.

Reproduction

To reproduce this vulnerability, an authenticated user with builder-level access can send a POST request to the VectorDB configuration endpoint with a crafted host parameter. The absence of validation will allow the request to be processed, causing the server to initiate a TCP connection to the specified host. This can be automated with a script that logs into Budibase, obtains an authentication token, and then sends requests to probe internal network addresses or cloud metadata services.

Remediation

Users are advised to update Budibase to version 3.35.3 or later, where this vulnerability has been fixed.