GHSA-726G-59WR-CJ4C
Vulnerability from github – Published: 2026-03-09 16:56 – Updated: 2026-03-10 18:39
VLAI?
Summary
@budibase/server: Command Injection in PostgreSQL Dump Command
Details
Location: packages/server/src/integrations/postgres.ts:529-531
Description
The PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command.
Code Reference
``529:531:packages/server/src/integrations/postgres.ts
const dumpCommand =PGPASSWORD="${
this.config.password
}" pg_dump --schema-only "${dumpCommandParts.join(" ")}"`
#### Attack Vector
An attacker who can control database configuration values (e.g., through compromised credentials or configuration injection) can inject shell commands. For example:
- Password: `password"; malicious-command; echo "`
- Database name: `db"; rm -rf /; echo "`
#### Impact
- Remote code execution
- System compromise
- Data exfiltration
#### Recommendation
1. Use environment variables for sensitive values instead of command-line arguments
2. Validate and sanitize all configuration values
3. Use proper escaping for shell arguments
4. Consider using a PostgreSQL library's native dump functionality instead of shell commands
#### Example Fix
```typescript
import { execFile } from "child_process"
import { promisify } from "util"
const execFileAsync = promisify(execFile)
// Use execFile with proper argument handling
const env = {
...process.env,
PGPASSWORD: this.config.password
}
const args = [
"--schema-only",
"--host", this.config.host,
"--port", this.config.port.toString(),
"--username", this.config.user,
"--dbname", this.config.database
]
try {
const { stdout } = await execFileAsync("pg_dump", args, { env })
return stdout
} catch (error) {
// Handle error
}
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@budibase/server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.23.32"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25041"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-09T16:56:26Z",
"nvd_published_at": "2026-03-09T20:16:07Z",
"severity": "HIGH"
},
"details": "**Location**: `packages/server/src/integrations/postgres.ts:529-531` \n\n#### Description\nThe PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command.\n\n#### Code Reference\n```529:531:packages/server/src/integrations/postgres.ts\n const dumpCommand = `PGPASSWORD=\"${\n this.config.password\n }\" pg_dump --schema-only \"${dumpCommandParts.join(\" \")}\"`\n```\n\n#### Attack Vector\nAn attacker who can control database configuration values (e.g., through compromised credentials or configuration injection) can inject shell commands. For example:\n- Password: `password\"; malicious-command; echo \"`\n- Database name: `db\"; rm -rf /; echo \"`\n\n#### Impact\n- Remote code execution\n- System compromise\n- Data exfiltration\n\n#### Recommendation\n1. Use environment variables for sensitive values instead of command-line arguments\n2. Validate and sanitize all configuration values\n3. Use proper escaping for shell arguments\n4. Consider using a PostgreSQL library\u0027s native dump functionality instead of shell commands\n\n#### Example Fix\n```typescript\nimport { execFile } from \"child_process\"\nimport { promisify } from \"util\"\nconst execFileAsync = promisify(execFile)\n\n// Use execFile with proper argument handling\nconst env = {\n ...process.env,\n PGPASSWORD: this.config.password\n}\n\nconst args = [\n \"--schema-only\",\n \"--host\", this.config.host,\n \"--port\", this.config.port.toString(),\n \"--username\", this.config.user,\n \"--dbname\", this.config.database\n]\n\ntry {\n const { stdout } = await execFileAsync(\"pg_dump\", args, { env })\n return stdout\n} catch (error) {\n // Handle error\n}\n```",
"id": "GHSA-726g-59wr-cj4c",
"modified": "2026-03-10T18:39:09Z",
"published": "2026-03-09T16:56:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-726g-59wr-cj4c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25041"
},
{
"type": "WEB",
"url": "https://github.com/Budibase/budibase/commit/9fdbff32fb9e69650ba899a799e13f80d9b09e93"
},
{
"type": "PACKAGE",
"url": "https://github.com/Budibase/budibase"
},
{
"type": "WEB",
"url": "https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts#L529-L531"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@budibase/server: Command Injection in PostgreSQL Dump Command"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…