Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.
In the file packages/server/src/db/inMemoryView.ts, user-supplied view mapping functions are passed directly to eval() without any sanitization or validation (CWE-20, CWE-94, CWE-95). An attacker can prepare a malicious payload as a view filter function and execute it in the context of the application server process. The environment under app-service contains environment variables with sensitive secrets, including INTERNAL_API_KEY, JWT_SECRET, CouchDB administrator credentials, and AWS keys, which become available to the attacker after exploitation. Obtaining CouchDB credentials enables direct access to the database, enumeration of databases for all tenants, and reading user records (including email addresses).
An attacker can execute arbitrary JavaScript code on the server (RCE), extract all sensitive environment secrets (API keys, JWT, CouchDB data, AWS keys), and gain full access to the databases of all tenants and the user data contained in them.
Budibase should be updated to version 3.30.4, which contains the fix. Users using Budibase Cloud should verify that the provider has deployed the update. Self-hosted instances do not require remedial action in connection with this vulnerability.
Budibase in Cloud version (SaaS) earlier than 3.30.4 — only the Budibase Cloud environment; self-hosted deployments are not vulnerable.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:LBudibase
APPBudibase< 3.30.4
Related vulnerabilities
SQL/NoSQL Injection w Budibase — nieautoryzowany odczyt i zapis danych
Budibase: path traversal przez symlink w endpoint przetwarzania ZIP
Budibase: pominięcie uwierzytelnienia przez manipulację query string
Budibase: nieuwierzytelniony RCE przez publiczny webhook i krok Bash
SSRF w Budibase — nieaktywna ochrona blacklisty IP umożliwia dowolne żądania