Cyber Security News

Bubble.io 0-Day Flaw Lets Attackers Run Arbitrary Queries on Elasticsearch

A vulnerability in Bubble.io, a leading no-code development platform, has exposed thousands of applications to data breaches.

The flaw allows attackers to bypass security controls and execute arbitrary queries on Elasticsearch databases, potentially compromising sensitive user information.

Security researchers reverse-engineered Bubble.io’s JavaScript code and HTTP headers to uncover flaws in how the platform encrypts and handles Elasticsearch queries.

The weakness stems from insecure cryptographic practices and hardcoded parameters that could be exploited to decrypt and manipulate search requests.

Key components of the exploit include:

  • Elasticsearch: Used by Bubble.io to power application searches.
  • AES-CBC + PBKDF2_HMAC: Encryption methods protecting queries, but implemented with reusable, predictable values.

How the Exploit Works

Payload Structure

Bubble.io’s encrypted payload comprises three parts:

  1. y: A Base64-encoded timestamp.
  2. x: A Base64-encoded initialization vector (IV).
  3. z: The encrypted query, derived using the app’s name (from the X-Bubble-Appname header) and hardcoded IVs (po9 and fl1).

Decryption Process

Attackers can decrypt the payload by:

  1. Extracting the app name from HTTP headers.
  2. Using hardcoded IVs shared across all Bubble apps.
  3. Applying AES decryption to reveal the raw Elasticsearch query.

Once decrypted, malicious actors can modify queries to bypass restrictions, such as limits on returned results or allowed comparison operators.

Exploit Demonstration

Researchers demonstrated how a benign query for a single user’s email:

{"query": {"term": {"email": "user@example.com"}}, "size": 1} 

Could be altered to retrieve all user data:

{"query": {"match_all": {}}, "size": 10000} 

This manipulation exposes sensitive fields like emails, hashed passwords, and payment details.

Impact and Risks

The vulnerability enables attackers to:

  • Extract entire databases via Elasticsearch.
  • Bypass security controls like query sanitization.
  • Target any Bubble.io app using default configurations.

While Bubble.io has not yet released an official patch, researchers urge developers to:

  1. Audit Elasticsearch query configurations.
  2. Rotate API keys and sensitive data.
  3. Monitor logs for unusual search activity.

This flaw highlights the hidden risks of no-code platforms, which often abstract away critical security considerations.

While Bubble.io democratizes app development, its opaque infrastructure can create blind spots for developers.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series of…

7 hours ago

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers at…

7 hours ago

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical vulnerabilities…

9 hours ago

NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in its…

9 hours ago

CISA Issues Alert on Actively Exploited Apache HTTP Server Escape Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a newly…

10 hours ago

Disney Hacker Admits Guilt After Stealing 1.1TB of Internal Data

A 25-year-old man from Santa Clarita, California, has agreed to plead guilty to hacking into…

11 hours ago