Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints · Advisory · Budibase/budibase · GitHub

Vulnerability Summary: BudiBase Authentication Bypass Vulnerability Overview Title: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints Severity: Critical (9.1/10) CVE ID: CVE-2024-41428 Affected Versions: all Fixed Version: 3.35.4 Principle: BudiBase’s authentication middleware uses an unanchored regular expression to match public (unauthenticated) endpoints. Since in the Koa framework includes the query string, an attacker can bypass authentication by appending query parameters after a public endpoint path (e.g., ). The regex will match the query string portion, causing the flag to be set to , thereby skipping global authentication checks. Impact Scope Affected Endpoints (no route-level authentication, fully exposed): — Search all users (email, name, role) — Get current user information — Account holder lookup — Template definitions — Refresh license — Publish event Attacker Capabilities: 1. Enumerate all users: Use to obtain email, name, role, admin status, builder status. 2. Discover account holders: Use to identify instance owners. 3. Trigger license refresh: Use potentially disrupting service. 4. Publish events: Use to inject events into the event system. Most severe impact: The user search function exposes the complete user directory of a BudiBase instance to anyone on the internet. Unaffected Endpoints: — Protected by (checks ) — Protected by Remediation It is recommended to apply both solutions below: Solution A: Anchor the Regular Expression In line 26: Solution B: Use Instead of In line 32: POC Code Step 1: Confirm normal request is blocked Step 2: Bypass authentication via query string injection Bypass values: Any public endpoint pattern can be used as a bypass value, for example:

Goal Reached Thanks to every supporter — we hit 100%!

Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints · Advisory · Budibase/budibase · GitHub

More from this source