Skip to content

@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation

High severity GitHub Reviewed Published Jun 4, 2026 in Budibase/budibase • Updated Jun 22, 2026

Package

npm @budibase/backend-core (npm)

Affected versions

< 3.39.9

Patched versions

3.39.9

Description

Summary

Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding.

The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection.

This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints.

Details

The issue comes from the outbound fetch validation flow resolving DNS twice:

During blacklist validation
Again during the real socket connection

The first lookup result is discarded after validation, so the second lookup is free to resolve to a different IP.

This creates a classic TOCTOU DNS rebinding issue.

Affected flow in:

packages/backend-core/src/utils/outboundFetch.ts

async function throwIfUnsafe(url: string): Promise<void> {
  const parsed = parseUrl(url)

  if (await isBlacklisted(parsed.hostname)) {
    throw new Error("URL is blocked or could not be resolved safely.")
  }
}

for (let redirects = 0; redirects <= MAX_REDIRECTS; redirects++) {
  await throwIfUnsafe(nextUrl)

  const response = await fetchFn(nextUrl, nextRequest)

  // ...
}

fetchFn uses plain node-fetch with no custom http.Agent / https.Agent, so the underlying socket performs its own independent dns.lookup after validation completes.

The same pattern also exists in:

packages/server/src/automations/steps/utils.ts

await throwIfBlacklisted(nextUrl)

const response = await fetch(nextUrl, nextRequest)

The blacklist implementation resolves hostnames but only returns a boolean:

packages/backend-core/src/blacklist/blacklist.ts

async function lookup(address: string): Promise<string[]> {
  address = parseAddress(address)

  const addresses = await performLookup(address, { all: true })

  return addresses.map(addr => addr.address)
}

export async function isBlacklisted(address: string): Promise<boolean> {
  // ...

  if (!net.isIP(address)) {
    try {
      ips = await lookup(address)
    } catch (e) {
      /* ... */
    }
  } else {
    ips = [address]
  }

  return ips.some(ip => blackList!.check(ip, getIpVersion(ip)))
}

The resolved IPs are discarded, so callers cannot pin the later socket connection to the validated addresses.

An attacker controlling authoritative DNS for a hostname can therefore return:

a public IP during validation
a private/internal IP during the actual connection

Anything routing through these helpers inherits the issue, including:

outgoing webhook
Slack
Discord
Make
Zapier
n8n
AI extract
object-store fetches

Several of these steps return upstream response content directly into automation output, which makes the SSRF non-blind.

PoC

Tested locally against a self-hosted build from master.
No Budibase-operated infrastructure was touched.

Run Budibase locally.

Start a harmless local HTTP listener:

python3 -m http.server 8080 --bind 127.0.0.1

Use a rebinding hostname such as:

7f000001.cb007264.rbndr.us

which rotates between:

127.0.0.1
203.0.113.100

Steps to reproduce:

Log into Budibase with automation permissions.
Create an automation using the Outgoing Webhook step.
Set the URL to:
http://:8080/
Trigger the automation.

Observed result:

The blacklist validation resolves the hostname to the public IP and allows the request.
node-fetch performs a second DNS lookup during socket creation.
The second lookup resolves to 127.0.0.1.
The TCP connection lands on the local service.
The local server response body appears directly in the automation output.
Impact

This produces a non-blind read-SSRF primitive against anything reachable from the Budibase host process, including:

loopback services (127.0.0.1)
RFC1918 ranges
internal Kubernetes/VPC services
cloud metadata endpoints (169.254.169.254)

On cloud deployments without IMDSv2 enforcement, this may expose temporary IAM credentials via:

/latest/meta-data/iam/security-credentials/

On multi-tenant hosted deployments, this may also create potential cross-tenant access paths through shared internal infrastructure.

References

@mjashanks mjashanks published to Budibase/budibase Jun 4, 2026
Published to the GitHub Advisory Database Jun 22, 2026
Reviewed Jun 22, 2026
Last updated Jun 22, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(10th percentile)

Weaknesses

Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. Learn more on MITRE.

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

CVE ID

CVE-2026-54353

GHSA ID

GHSA-gfq7-5x4g-3xhf

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.