@budibase/backend-core SSRF Bypass via DNS Rebinding

A DNS rebinding vulnerability in outbound fetch validation allows authenticated users with automation permissions to bypass the SSRF blacklist. The validation resolves a hostname against the blacklist, but the subsequent socket connection performs a separate DNS lookup, enabling an attacker-controlled hostname to return a public IP during validation and a private/internal IP during the actual connection.

Self-hosted and cloud Budibase deployments where authenticated users have automation permissions. Affected flows include outgoing webhook, Slack, Discord, Make, Zapier, n8n, AI extract, and object-store fetches.

Upgrade Budibase to a patched version that pins validated IPs to the connection or uses a single DNS resolution. If no patch is available, restrict automation permissions to trusted users and consider network-level controls to block outbound requests to private IPs.