@budibase/server 3.31.1

Direct Vulnerabilities

Known vulnerabilities in the @budibase/server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Incorrect Authorization @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Incorrect Authorization through the `row action trigger` process. An attacker can gain unauthorized access to data and perform actions on database rows outside their permitted scope by supplying a `rowId` that is not validated against the view's filters. How to fix Incorrect Authorization? Upgrade `@budibase/server` to version 3.38.1 or higher.	<3.38.1
H Arbitrary Code Injection @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the `calculation` parameter in the V1 Views API, which is interpolated directly into a CouchDB reduce function without validation. An attacker can execute arbitrary JavaScript code within the CouchDB JavaScript engine by submitting a crafted value for `calculation` in a POST request to the affected endpoint. This allows access to document data and persistence of malicious code in the database design document. Note: This is only exploitable if the attacker has Builder role permissions. How to fix Arbitrary Code Injection? Upgrade `@budibase/server` to version 3.38.1 or higher.	<3.38.1
M Server-side Request Forgery (SSRF) @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `_req` function. An attacker can access internal services and sensitive cloud metadata by leveraging HTTP redirects through an attacker-controlled server, bypassing IP blacklist protections. How to fix Server-side Request Forgery (SSRF)? Upgrade `@budibase/server` to version 3.38.1 or higher.	<3.38.1
M Server-side Request Forgery (SSRF) @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `processUrlFile` function. An attacker can access internal network resources and sensitive cloud metadata by supplying crafted URLs that target internal or private IP addresses, bypassing IP blacklist validation. How to fix Server-side Request Forgery (SSRF)? Upgrade `@budibase/server` to version 3.34.8 or higher.	<3.34.8
H Missing Authorization @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Missing Authorization via the `PUT /api/datasources/:datasourceId` route. An attacker can overwrite datasource connection parameters such as `host`, `port`, and `url` by sending crafted requests, which may allow probing or interacting with internal services, exposing sensitive information, or disrupting application functionality for all users. How to fix Missing Authorization? Upgrade `@budibase/server` to version 3.38.1 or higher.	<3.38.1
M Server-side Request Forgery (SSRF) @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the `urlUpload` function. An attacker can access internal network resources and sensitive metadata by submitting a crafted URL containing `.tar.gz` that bypasses insufficient validation, leading the server to make requests to arbitrary endpoints. This can be exploited by users with low privileges through the `/api/plugin` endpoint, potentially exposing confidential information from internal services or cloud metadata endpoints. Note: This is only exploitable if plugin loading is enabled and, for full internal network access, if the blacklist is disabled or bypassed. How to fix Server-side Request Forgery (SSRF)? Upgrade `@budibase/server` to version 3.35.10 or higher.	<3.35.10
H Command Injection @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Command Injection via the `bash` automation step, which executes user-supplied input using `execSync` without proper sanitization or validation. An attacker can execute arbitrary system commands by crafting malicious input that is processed and interpolated, leading to remote code execution and potential full system compromise. How to fix Command Injection? Upgrade `@budibase/server` to version 3.33.4 or higher.	<3.33.4
C Command Injection @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Command Injection via the public webhook endpoint. An attacker can execute arbitrary commands as the root user within the application container and exfiltrate sensitive environment secrets by sending crafted HTTP POST requests to the unauthenticated webhook endpoint, provided an administrator has previously configured an automation with a Bash step that uses webhook trigger field templates. Note: This is only exploitable if an admin has created and published an automation containing both a webhook trigger and a Bash step with a template referencing trigger fields, and the deployment is self-hosted (SELF_HOSTED=1). How to fix Command Injection? Upgrade `@budibase/server` to version 3.33.4 or higher.	<3.33.4
H Directory Traversal @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Directory Traversal via the `fileUpload()` and the `createTempFolder()` function. An attacker can delete arbitrary directories and write files to any location accessible by the Node.js process by uploading a crafted tarball with a filename containing path traversal sequences in a multipart request. Note: This is only exploitable if the attacker has Global Builder privileges. How to fix Directory Traversal? Upgrade `@budibase/server` to version 3.33.4 or higher.	<3.33.4
C Server-side Request Forgery (SSRF) @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `preview()` in the REST datasource query endpoint, which allows user-supplied URLs in the `fields.path` parameter to be requested by the server without validation. An attacker can access internal network resources, cloud metadata endpoints, and sensitive internal services by supplying arbitrary URLs. Note: This is only exploitable if the attacker is an authenticated admin or builder user. How to fix Server-side Request Forgery (SSRF)? Upgrade `@budibase/server` to version 3.34.8 or higher.	<3.34.8

Vulnerability

Vulnerable Version

Incorrect Authorization

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Incorrect Authorization through the row action trigger process. An attacker can gain unauthorized access to data and perform actions on database rows outside their permitted scope by supplying a rowId that is not validated against the view's filters.

How to fix Incorrect Authorization?

Upgrade @budibase/server to version 3.38.1 or higher.

<3.38.1

Arbitrary Code Injection

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Arbitrary Code Injection via the calculation parameter in the V1 Views API, which is interpolated directly into a CouchDB reduce function without validation. An attacker can execute arbitrary JavaScript code within the CouchDB JavaScript engine by submitting a crafted value for calculation in a POST request to the affected endpoint. This allows access to document data and persistence of malicious code in the database design document.

Note:

This is only exploitable if the attacker has Builder role permissions.

How to fix Arbitrary Code Injection?

Upgrade @budibase/server to version 3.38.1 or higher.

<3.38.1

Server-side Request Forgery (SSRF)

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the _req function. An attacker can access internal services and sensitive cloud metadata by leveraging HTTP redirects through an attacker-controlled server, bypassing IP blacklist protections.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @budibase/server to version 3.38.1 or higher.

<3.38.1

Server-side Request Forgery (SSRF)

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the processUrlFile function. An attacker can access internal network resources and sensitive cloud metadata by supplying crafted URLs that target internal or private IP addresses, bypassing IP blacklist validation.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @budibase/server to version 3.34.8 or higher.

<3.34.8

Missing Authorization

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Missing Authorization via the PUT /api/datasources/:datasourceId route. An attacker can overwrite datasource connection parameters such as host, port, and url by sending crafted requests, which may allow probing or interacting with internal services, exposing sensitive information, or disrupting application functionality for all users.

How to fix Missing Authorization?

Upgrade @budibase/server to version 3.38.1 or higher.

<3.38.1

Server-side Request Forgery (SSRF)

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the urlUpload function. An attacker can access internal network resources and sensitive metadata by submitting a crafted URL containing .tar.gz that bypasses insufficient validation, leading the server to make requests to arbitrary endpoints. This can be exploited by users with low privileges through the /api/plugin endpoint, potentially exposing confidential information from internal services or cloud metadata endpoints.

Note:

This is only exploitable if plugin loading is enabled and, for full internal network access, if the blacklist is disabled or bypassed.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @budibase/server to version 3.35.10 or higher.

<3.35.10

Command Injection

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Command Injection via the bash automation step, which executes user-supplied input using execSync without proper sanitization or validation. An attacker can execute arbitrary system commands by crafting malicious input that is processed and interpolated, leading to remote code execution and potential full system compromise.

How to fix Command Injection?

Upgrade @budibase/server to version 3.33.4 or higher.

<3.33.4

Command Injection

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Command Injection via the public webhook endpoint. An attacker can execute arbitrary commands as the root user within the application container and exfiltrate sensitive environment secrets by sending crafted HTTP POST requests to the unauthenticated webhook endpoint, provided an administrator has previously configured an automation with a Bash step that uses webhook trigger field templates.

Note: This is only exploitable if an admin has created and published an automation containing both a webhook trigger and a Bash step with a template referencing trigger fields, and the deployment is self-hosted (SELF_HOSTED=1).

How to fix Command Injection?

Upgrade @budibase/server to version 3.33.4 or higher.

<3.33.4

Directory Traversal

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Directory Traversal via the fileUpload() and the createTempFolder() function. An attacker can delete arbitrary directories and write files to any location accessible by the Node.js process by uploading a crafted tarball with a filename containing path traversal sequences in a multipart request.

Note: This is only exploitable if the attacker has Global Builder privileges.

How to fix Directory Traversal?

Upgrade @budibase/server to version 3.33.4 or higher.

<3.33.4

Server-side Request Forgery (SSRF)

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the preview() in the REST datasource query endpoint, which allows user-supplied URLs in the fields.path parameter to be requested by the server without validation. An attacker can access internal network resources, cloud metadata endpoints, and sensitive internal services by supplying arbitrary URLs.

Note: This is only exploitable if the attacker is an authenticated admin or builder user.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @budibase/server to version 3.34.8 or higher.

<3.34.8

@budibase/server@3.31.1

Budibase Web Server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically