Name of the Vulnerable Software and Affected Versions: Budibase versions prior to 2.20.0

Description: The issue arises from a vulnerability in the vm2 library used for code execution inside the Budibase builder and apps. This vulnerability allows users to escape the sandbox provided by vm2 and expose server-side variables such as process.env. The authors of vm2 recommend moving to another solution for remote JS execution due to this vulnerability.

Recommendations: For Budibase versions prior to 2.20.0, update to version 2.20.0 or later, which migrates the JS sandbox infrastructure to isolated-vm, a more secure library for remote code execution. This update also provides a performance benefit in caching and executing JS server-side. Self-hosted users must manage these updates themselves, while the Budibase cloud platform has already been patched.