Budibase REST Connector SSRF via Empty Blacklist

A critical Server-Side Request Forgery (SSRF) vulnerability exists in Budibase version 3.30.6, affecting self-hosted instances that do not explicitly configure the BLACKLIST_IPS environment variable. The vulnerability resides within the REST datasource connector and the backend-core blacklist module. Due to the absence of a default IP blacklist, the isBlacklisted() function in packages/backend-core/src/blacklist/blacklist.ts unconditionally returns false, bypassing SSRF protection. This allows users with Builder privileges or QUERY WRITE permissions to create malicious REST datasources, query internal services, and exfiltrate sensitive data, including CouchDB credentials, application data, and internal service metadata. This vulnerability impacts confidentiality, integrity, and availability, potentially leading to complete instance takeover.

Attack Chain

1. An attacker with Builder privileges logs into the Budibase application.
2. The attacker creates a new REST datasource via POST /api/datasources, configuring it to target an internal service like http://couchdb-service:5984.
3. The Budibase server, specifically the packages/server/src/integrations/rest.ts component, evaluates the URL against the blacklist. Due to the empty BLACKLIST_IPS, the isBlacklisted() function returns false.
4. The REST integration proceeds with the request using the fetch API, sending the request to the specified internal service.
5. The internal service (e.g., CouchDB) responds with data.
6. The attacker creates a query via POST /api/queries that uses the malicious REST datasource.
7. The attacker executes the query via POST /api/v2/queries/:id, triggering a request to the internal service.
8. The response from the internal service, containing sensitive data like database credentials or application data, is returned to the attacker, enabling data exfiltration or further exploitation.

Impact

Successful exploitation allows attackers to read CouchDB databases, including user credentials (bcrypt password hashes) and platform configurations. They can also modify user records, create new admin accounts, alter application data, or delete databases. The vulnerability enables resource exhaustion, database destruction, and service disruption. The vulnerability crosses the security boundary between the Budibase application layer and the infrastructure layer, granting access to CouchDB, MinIO, Redis, and other internal services.

Recommendation

• Immediately set the BLACKLIST_IPS environment variable in your Budibase deployment to include at least 127.0.0.1, private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and cloud metadata endpoints to mitigate the SSRF vulnerability.
• Restrict BUILDER role access to only trusted users. Consider using the principle of least privilege for application-level permissions.
• Deploy the Sigma rule “Detect Budibase REST Datasource Creation Targeting Internal IPs” to your SIEM and tune for your environment to detect potential exploitation attempts.
• If you have unpatched instances of Budibase and have granted QUERY WRITE permissions widely, immediately audit and revoke those permissions from untrusted users.
• Monitor webserver logs for unusual requests originating from the Budibase application server to internal IP addresses or services, particularly those used by CouchDB, Redis, or MinIO, to identify potential SSRF attempts.