@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
Description
Summary
Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding.
The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection.
This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints.
Details
The issue comes from the outbound fetch validation flow resolving DNS twice:
During blacklist validation Again during the real socket connection
The first lookup result is discarded after validation, so the second lookup is free to resolve to a different IP.
This creates a classic TOCTOU DNS rebinding issue.
Affected flow in:
packages/backend-core/src/utils/outboundFetch.ts `` async function throwIfUnsafe(url: string): Promise { const parsed = parseUrl(url) if (await isBlacklisted(parsed.hostname)) { throw new Error("URL is blocked or could not be resolved safely.") } } for (let redirects = 0; redirects <= MAX_REDIRECTS; redirects++) { await throwIfUnsafe(nextUrl) const response = await fetchFn(nextUrl, nextRequest) // ... } ``
fetchFn uses plain node-fetch with no custom http.Agent / https.Agent, so the underlying socket performs its own independent dns.lookup after validation completes.
The same pattern also exists in:
packages/server/src/automations/steps/utils.ts `` await throwIfBlacklisted(nextUrl) const response = await fetch(nextUrl, nextRequest) ``
The blacklist implementation resolves hostnames but only returns a boolean:
packages/backend-core/src/blacklist/blacklist.ts `` async function lookup(address: string): Promise<string[]> { address = parseAddress(address) const addresses = await performLookup(address, { all: true }) return addresses.map(addr => addr.address) } export async function isBlacklisted(address: string): Promise { // ... if (!net.isIP(address)) { try { ips = await lookup(address) } catch (e) { /* ... */ } } else { ips = [address] } return ips.some(ip => blackList!.check(ip, getIpVersion(ip))) } ``
The resolved IPs are discarded, so callers cannot pin the later socket connection to the validated addresses.
An attacker controlling authoritative DNS for a hostname can therefore return:
a public IP during validation a private/internal IP during the actual connection
Anything routing through these helpers inherits the issue, including:
outgoing webhook Slack Discord Make Zapier n8n AI extract object-store fetches
Several of these steps return upstream response content directly into automation output, which makes the SSRF non-blind.
PoC
Tested locally against a self-hosted build from master. No Budibase-operated infrastructure was touched.
Run Budibase locally.
Start a harmless local HTTP listener:
python3 -m http.server 8080 --bind 127.0.0.1
Use a rebinding hostname such as:
7f000001.cb007264.rbndr.us
which rotates between:
127.0.0.1 203.0.113.100
Steps to reproduce:
Log into Budibase with automation permissions. Create an automation using the Outgoing Webhook step. Set the URL to: http://:8080/ Trigger the automation.
Observed result:
The blacklist validation resolves the hostname to the public IP and allows the request. node-fetch performs a second DNS lookup during socket creation. The second lookup resolves to 127.0.0.1. The TCP connection lands on the local service. The local server response body appears directly in the automation output. Impact
This produces a non-blind read-SSRF primitive against anything reachable from the Budibase host process, including:
loopback services (127.0.0.1) RFC1918 ranges internal Kubernetes/VPC services cloud metadata endpoints (169.254.169.254)
On cloud deployments without IMDSv2 enforcement, this may expose temporary IAM credentials via:
/latest/meta-data/iam/security-credentials/
On multi-tenant hosted deployments, this may also create potential cross-tenant access paths through shared internal infrastructure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@budibase/backend-corenpm | < 3.39.9 | 3.39.9 |
Affected products
1Patches
Vulnerability mechanics
Root cause
"The outbound fetch flow performs two independent DNS lookups—one for blacklist validation and one for the actual socket connection—without pinning the validated IPs, enabling a DNS rebinding bypass."
Attack vector
An attacker with automation permissions in Budibase can exploit a TOCTOU DNS rebinding race condition [CWE-367] to bypass the SSRF blacklist [CWE-918]. The attacker controls authoritative DNS for a hostname that returns a public IP during the blacklist validation lookup, then returns a private/internal IP during the subsequent DNS lookup performed by node-fetch when opening the socket. This allows the attacker to craft an automation step (e.g., Outgoing Webhook) pointing to a rebinding hostname, causing the request to reach loopback services, RFC1918 ranges, or cloud metadata endpoints such as 169.254.169.254.
Affected code
The vulnerability resides in the outbound fetch validation flow within `packages/backend-core/src/utils/outboundFetch.ts` and `packages/server/src/automations/steps/utils.ts`. The `throwIfUnsafe` function validates a hostname against the blacklist, but the subsequent `fetchFn` call performs an independent DNS lookup via node-fetch without pinning the validated IPs. The blacklist implementation in `packages/backend-core/src/blacklist/blacklist.ts` discards resolved IPs after returning a boolean, so callers cannot enforce that the same IP is used for the actual connection.
What the fix does
The advisory does not include a published patch, but the root cause is clear: the blacklist validation resolves the hostname and discards the resolved IPs, while the subsequent socket connection performs its own independent DNS lookup. To close the vulnerability, the code should pin the validated IP addresses to the connection—for example, by resolving the hostname once, validating all resolved IPs against the blacklist, and then passing those IPs directly to the HTTP client (e.g., via a custom `http.Agent` or by replacing the hostname with the IP in the URL). This eliminates the window for a DNS rebinding attack.
Preconditions
- authThe attacker must have a Budibase account with automation permissions.
- inputThe attacker must control authoritative DNS for a hostname that can return different IPs on successive queries (DNS rebinding).
- networkThe target internal service must be reachable from the Budibase host process (e.g., loopback, RFC1918, cloud metadata).
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.