Ddos 
Budibase, the popular open-source platform used by engineers to build internal apps and automations, has issued a high-priority security update following the discovery of a critical authentication bypass. The vulnerability, carrying a CVSS score of 9.1, allows unauthenticated attackers to access protected administrative endpoints by exploiting a simple oversight in the system’s URL matching logic.
The flaw centers on the platform’s authentication middleware, which determines if a request requires a login. To allow certain “public” endpoints to function without a session, the system uses regular expressions (regex) to check the incoming URL.
However, researchers discovered that these regex patterns were “unanchored”—meaning they looked for a match anywhere in the URL string rather than just at the beginning. Because Budibase is built on the Koa framework, where ctx.request.url includes the query string, an attacker could simply append a public path as a query parameter to any protected request.
For example, a sensitive request like:
…would bypass all security checks because the regex for the public /api/system/status endpoint was found within the query string portion of the URL.
The implications of this bypass are severe. An unauthenticated attacker could leverage this flaw to:
- Enumerate All Users: Access a full directory including emails, names, roles, and administrative status.
- Identify the Owner: Discover the specific account holder or instance owner.
- Disrupt Services: Trigger license refreshes or inject unauthorized events into the internal system.
The user search capability is considered the most damaging aspect of the flaw, as it effectively reveals the entire user database to anyone on the internet.
The vulnerability affects all versions of Budibase prior to the latest release. Security teams are urged to update to version 3.35.4 immediately to close the loophole.
The fix involves two primary coding changes:
- Anchoring the Regex: Adding the ^ symbol to ensure the pattern only matches the start of the route.
- Using Path instead of URL: Switching the check to ctx.request.path, which excludes query strings from the matching process.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
