Budibase OAuth2 SDK SSRF Vulnerability Allowing Internal Host Access

A server-side request forgery (SSRF) vulnerability has been identified in Budibase, an open-source low-code platform, in versions prior to 3.39.0. The issue arises in the OAuth2 SDK's 'fetchToken' function, which makes a POST request to a URL provided by the builder. This request bypasses a crucial blacklist check that is applied to all other outbound fetch operations, leaving internal hosts and cloud metadata accessible. The vulnerability is exacerbated by the Joi schema for the OAuth2 URL, which lacks scheme or host restrictions. As a result, a builder could potentially redirect requests to internal services or cloud metadata endpoints, leading to unauthorized data access.

Impact

Exploitation of this vulnerability allows access to internal services and cloud metadata, with potential for cross-tenant data exposure on Budibase Cloud or exfiltration of AWS IAM credentials, depending on the target URL.

Reproduction

To reproduce this vulnerability, a builder can POST an OAuth2 configuration to the '/api/oauth2/validate' endpoint, including a URL that points to an internal service or cloud metadata endpoint. The request will bypass the blacklist check and access the specified URL, potentially leaking sensitive information into the response.

Remediation

Users are advised to update to Budibase version 3.39.0 or later, where this vulnerability has been fixed.