It's incredible how many infrastructure takeovers start with a single missing string character or blind trust in an internal dashboard.
๐ The Missing Slash Bypass
It turns out basic string matching is still hard. There is an authorization bypass in gRPC-Go tied to how it processes the HTTP/2 `:path` pseudo-header. If an attacker manually crafts a request and strips the leading slash, the backend router still finds the destination. But the RBAC interceptors evaluate the raw, un-slashed string.
If your service mesh relies on a default-allow fallback, the attacker's request completely evades your exact-match deny rules. They ask for `Service/Method` instead of `/Service/Method`, sail past the blocklist, and execute the call.
- Action: Bump gRPC-Go to v1.79.3 today. If you can't restart right now, inject the validating interceptor from the advisory to drop malformed paths before they hit your auth logic.
๐ค Free Cloud Tokens via SSRF
Internal dashboards remain a massive liability. Budibase just disclosed an unrestricted SSRF inside its REST Datasource Query Preview endpoint. There is absolutely zero network validation happening on the backend.
Anyone with 'builder' or 'admin' access can swap the `fields.path` parameter to target `169.254.169.254`. The server happily executes the request and hands back cloud metadata tokens. This instantly escalates an application-level user to a full AWS or GCP infrastructure takeover. Attackers can also pivot to pillage internal Kubernetes APIs or the backing CouchDB.
- Action: Apply the Budibase patch immediately to lock down the preview endpoint.