js · @budibase/serverCritical
@budibase/server OAuth2 SSRF via unblacklisted fetchToken URL
The OAuth2 SDK's fetchToken function POSTs to a builder-supplied URL without blacklist checking.
What changed
The OAuth2 SDK's fetchToken function POSTs to a builder-supplied URL without blacklist checking. The Joi schema for the OAuth2 URL lacks scheme or host restrictions.
Who it affects
All Budibase deployments (Cloud and self-hosted) using OAuth2 validation. Any builder account can exploit this.
What to do today
Apply the recommended fix: call blacklist.isBlacklisted before the fetch and set redirect: 'manual' on fetchConfig, or replace the fetch call with fetchWithBlacklist.
The trail
Collected→
Audited→
Written→
Published