Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource c…

A server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector prior to version 3.33.4. The vulnerability occurs because the BLACKLIST_IPS environment variable is not set by default in official deployment configurations, making the SSRF protection mechanism completely ineffective. When the variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This creates a significant security risk as attackers can potentially access internal resources or perform unauthorized requests. The issue has been patched in version 3.33.4.