Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects…

Budibase, an open-source low-code platform, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 3.38.1. The vulnerability exists in the REST datasource integration where HTTP redirects are followed without re-checking the IP blacklist. This allows authenticated Builder users to access internal services including cloud metadata and databases by redirecting requests through attacker-controlled servers. The vulnerability bypasses security controls designed to prevent access to internal resources. The issue has been patched in version 3.38.1 of Budibase.