Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fet…

Budibase open-source low-code platform contains an SSRF vulnerability in OAuth2 token fetch function prior to version 3.39.0. The vulnerability exists in packages/server/src/sdk/workspace/oauth2/utils.ts where raw fetch(config.url) is used without SSRF protection. While a safe wrapper fetchWithBlacklist() exists and is used elsewhere in the codebase, it was not applied to the OAuth2 token endpoint. Users with BUILDER role can exploit this to point OAuth2 token URL to internal services like CouchDB and cloud metadata to exfiltrate sensitive data. The vulnerability has been fixed in version 3.39.0.