Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single subs…

Budibase, an open-source low-code platform, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 3.35.10. The vulnerability exists in the Plugin URL upload endpoint (POST /api/plugin) which only validates URLs with a simple substring check for '.tar.gz'. This weak validation allows any URL containing '.tar.gz' anywhere in the string to pass validation and proceed to fetchWithBlacklist() without proper host, scheme, or path validation. While the default SSRF blacklist provides some protection, the vulnerability can be exploited when chained with BLACKLIST_IPS bypass or through HTTP redirects from external URLs to internal targets. The issue has been fixed in version 3.35.10.