@budibase/shared-core 3.31.3

Direct Vulnerabilities

Known vulnerabilities in the @budibase/shared-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Command Injection @budibase/shared-core is a Shared data utils Affected versions of this package are vulnerable to Command Injection via the `bash` automation step, which executes user-supplied input using `execSync` without proper sanitization or validation. An attacker can execute arbitrary system commands by crafting malicious input that is processed and interpolated, leading to remote code execution and potential full system compromise. How to fix Command Injection? Upgrade `@budibase/shared-core` to version 3.33.4 or higher.	<3.33.4
C Command Injection @budibase/shared-core is a Shared data utils Affected versions of this package are vulnerable to Command Injection via the public webhook endpoint. An attacker can execute arbitrary commands as the root user within the application container and exfiltrate sensitive environment secrets by sending crafted HTTP POST requests to the unauthenticated webhook endpoint, provided an administrator has previously configured an automation with a Bash step that uses webhook trigger field templates. Note: This is only exploitable if an admin has created and published an automation containing both a webhook trigger and a Bash step with a template referencing trigger fields, and the deployment is self-hosted (SELF_HOSTED=1). How to fix Command Injection? Upgrade `@budibase/shared-core` to version 3.33.4 or higher.	<3.33.4

Vulnerability

Vulnerable Version

Command Injection

@budibase/shared-core is a Shared data utils

Affected versions of this package are vulnerable to Command Injection via the bash automation step, which executes user-supplied input using execSync without proper sanitization or validation. An attacker can execute arbitrary system commands by crafting malicious input that is processed and interpolated, leading to remote code execution and potential full system compromise.

How to fix Command Injection?

Upgrade @budibase/shared-core to version 3.33.4 or higher.

<3.33.4

Command Injection

@budibase/shared-core is a Shared data utils

Affected versions of this package are vulnerable to Command Injection via the public webhook endpoint. An attacker can execute arbitrary commands as the root user within the application container and exfiltrate sensitive environment secrets by sending crafted HTTP POST requests to the unauthenticated webhook endpoint, provided an administrator has previously configured an automation with a Bash step that uses webhook trigger field templates.

Note: This is only exploitable if an admin has created and published an automation containing both a webhook trigger and a Bash step with a template referencing trigger fields, and the deployment is self-hosted (SELF_HOSTED=1).

How to fix Command Injection?

Upgrade @budibase/shared-core to version 3.33.4 or higher.

<3.33.4

@budibase/shared-core@3.31.3

Shared data utils

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically