Budibase patches critical PostgreSQL pg_dump command injection
TL;DR - Budibase's PostgreSQL integration builds a pg_dump shell command by gluing config values together as a string. Inject shell metacharacters into the database name, host, or password and you get command execution on the server.
What happened
Budibase is the open-source low-code platform for building internal business apps. The new GitHub advisory covers the PostgreSQL integration that runs pg_dump for schema-only exports. The shell command is constructed by string-concatenating user-controlled configuration values - database name, host, password - with no sanitization. So those values can include extra shell commands.
Textbook CWE-77. The fix is the textbook one too: use execFile with an argument array, never build shell strings. This bug class keeps showing up in low-code platforms because every database integration needs to invoke a CLI tool somewhere.
Who is impacted
- Deployments using
@budibase/serverversions< 3.23.32. - Environments where an attacker can influence PostgreSQL connection config values (via configuration injection, compromised admin credentials, or other paths).
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- Restrict and audit who can change database configuration values in Budibase.
- Consider rotating DB credentials and reviewing for suspicious characters in connection values if you suspect exposure.
- Prefer non-shell execution patterns (e.g.,
execFilewith argument arrays) in similar internal tooling.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.