Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.
Problem types
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-73: External Control of File Name or Path
Product status
References
github.com/...dibase/security/advisories/GHSA-pqcr-jmfv-c9cp
github.com/...dibase/security/advisories/GHSA-pqcr-jmfv-c9cp