@budibase/server 3.37.0

Direct Vulnerabilities

Known vulnerabilities in the @budibase/server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Incorrect Authorization @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Incorrect Authorization through the `row action trigger` process. An attacker can gain unauthorized access to data and perform actions on database rows outside their permitted scope by supplying a `rowId` that is not validated against the view's filters. How to fix Incorrect Authorization? Upgrade `@budibase/server` to version 3.38.1 or higher.	<3.38.1
H Arbitrary Code Injection @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the `calculation` parameter in the V1 Views API, which is interpolated directly into a CouchDB reduce function without validation. An attacker can execute arbitrary JavaScript code within the CouchDB JavaScript engine by submitting a crafted value for `calculation` in a POST request to the affected endpoint. This allows access to document data and persistence of malicious code in the database design document. Note: This is only exploitable if the attacker has Builder role permissions. How to fix Arbitrary Code Injection? Upgrade `@budibase/server` to version 3.38.1 or higher.	<3.38.1
M Server-side Request Forgery (SSRF) @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `_req` function. An attacker can access internal services and sensitive cloud metadata by leveraging HTTP redirects through an attacker-controlled server, bypassing IP blacklist protections. How to fix Server-side Request Forgery (SSRF)? Upgrade `@budibase/server` to version 3.38.1 or higher.	<3.38.1
H Missing Authorization @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Missing Authorization via the `PUT /api/datasources/:datasourceId` route. An attacker can overwrite datasource connection parameters such as `host`, `port`, and `url` by sending crafted requests, which may allow probing or interacting with internal services, exposing sensitive information, or disrupting application functionality for all users. How to fix Missing Authorization? Upgrade `@budibase/server` to version 3.38.1 or higher.	<3.38.1

Vulnerability

Vulnerable Version

Incorrect Authorization

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Incorrect Authorization through the row action trigger process. An attacker can gain unauthorized access to data and perform actions on database rows outside their permitted scope by supplying a rowId that is not validated against the view's filters.

How to fix Incorrect Authorization?

Upgrade @budibase/server to version 3.38.1 or higher.

<3.38.1

Arbitrary Code Injection

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Arbitrary Code Injection via the calculation parameter in the V1 Views API, which is interpolated directly into a CouchDB reduce function without validation. An attacker can execute arbitrary JavaScript code within the CouchDB JavaScript engine by submitting a crafted value for calculation in a POST request to the affected endpoint. This allows access to document data and persistence of malicious code in the database design document.

Note:

This is only exploitable if the attacker has Builder role permissions.

How to fix Arbitrary Code Injection?

Upgrade @budibase/server to version 3.38.1 or higher.

<3.38.1

Server-side Request Forgery (SSRF)

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the _req function. An attacker can access internal services and sensitive cloud metadata by leveraging HTTP redirects through an attacker-controlled server, bypassing IP blacklist protections.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @budibase/server to version 3.38.1 or higher.

<3.38.1

Missing Authorization

@budibase/server is a Budibase Web Server

Affected versions of this package are vulnerable to Missing Authorization via the PUT /api/datasources/:datasourceId route. An attacker can overwrite datasource connection parameters such as host, port, and url by sending crafted requests, which may allow probing or interacting with internal services, exposing sensitive information, or disrupting application functionality for all users.

How to fix Missing Authorization?

Upgrade @budibase/server to version 3.38.1 or higher.

<3.38.1

@budibase/server@3.37.0

Budibase Web Server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically