{ "schema_version": "1.4.0", "id": "GHSA-4g2x-vq5p-5vj6", "modified": "2024-08-15T17:02:27Z", "published": "2024-03-01T20:09:00Z", "aliases": [], "summary": "Budibase affected by VM2 Constructor Escape Vulnerability", "details": "### Impact\nPreviously, budibase used a library called `vm2` for code execution inside the Budibase builder and apps, such as the UI below for configuring bindings in the design section.\n\n![Screenshot 2024-03-01 at 13 50 16](https://github.com/Budibase/budibase/assets/11256663/5f049b64-cd99-48fd-a184-644cd312c82e)\n\nDue to a [vulnerability in vm2](https://github.com/advisories/GHSA-cchq-frgv-rjh5), any environment that executed the code server side (automations and column formulas) was susceptible to this vulnerability, allowing users to escape the sandbox provided by `vm2`, and to expose server side variables such as `process.env`. It's recommended by the authors of `vm2` themselves that you should move to another solution for remote JS execution due to this vulnerability.\n\n### Patches\nWe moved our entire JS sandbox infrastructure over to `isolated-vm`, a much more secure and recommended library for remote code execution in 2.20.0. This also comes with a performance benefit in the way we cache and execute your JS server side. The budibase cloud platform has been patched already and is not running `vm2`, but self host users will need to manage the updates by themselves.\n\nIf you are a self hosted user, you can take the following steps to reproduce the exploit and to verify if your installation is currently affected.\n\nCreate a new formula column on one of your tables in the data section with the following configuration.\n![Screenshot 2024-03-01 at 14 04 28](https://github.com/Budibase/budibase/assets/11256663/0f8bc19b-9e44-4e95-ab4e-6ef6278eea34)\n\nAdd the following JS function to the formula and save.\n![Screenshot 2024-03-01 at 14 05 19](https://github.com/Budibase/budibase/assets/11256663/1d0c9705-1a88-49b0-93e0-f385a04b5c25)\n\nIf your installation is vulnerable, when the formula evaluates you will be able to see the printed `process.env` in your new formula field. If not, your installation is not affected.\n\n### Workarounds\nThere is no workaround at this time for any budibase app that uses JS. You must fully migrate post version 2.20.0 to patch the vulnerability.\n\n### References\n- https://github.com/advisories/GHSA-cchq-frgv-rjh5\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "@budibase/server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.20.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4g2x-vq5p-5vj6" }, { "type": "WEB", "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5" }, { "type": "WEB", "url": "https://github.com/Budibase/budibase/commit/601c02a4acc695b1cc602bf611f0ae66d6e5868f" }, { "type": "PACKAGE", "url": "https://github.com/Budibase/budibase" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-03-01T20:09:00Z", "nvd_published_at": null } }