Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skippi…

Budibase, an open-source low-code platform, contains a server-side request forgery vulnerability in versions prior to 3.39.0. The fetchToken function in the OAuth2 SDK makes POST requests to builder-supplied URLs using plain node-fetch, bypassing the blacklist.isBlacklisted security check that protects other outbound fetch operations. The Joi schema validation for OAuth2 URLs lacks proper scheme and host restrictions, allowing potential abuse. This security flaw has been addressed in version 3.39.0 with proper validation and blacklist checking.