CVE-2020-19850

Vulnerability

Description CVE-2020-19850 affects Directus API version 2.2.0, allowing a remote attacker to cause a denial of service (DoS) by sending a large number of HTTP requests. This issue was reported as a replay attack vector where the application cannot distinguish legitimate requests from duplicates, leading to resource exhaustion [1][2].

Exploitation

An attacker can exploit this vulnerability by flooding the Directus API with numerous identical requests over a short period. No authentication is required if the endpoint is publicly accessible, and the attack can be launched from any network position [2]. The use of HTTPS does not mitigate this at the application layer, as it only protects against network-level replay [2].

Impact

Successful exploitation results in denial of service, rendering the application unresponsive to legitimate users. The business risk includes potential service disruption, especially if a malicious insider or authenticated user initiates the attack [2].

Mitigation

The issue was addressed by implementing anti-automation mechanisms such as CAPTCHA [2]. Directus v2.2.0 is end-of-life and archived; users are strongly advised to upgrade to the latest version (Directus v8 archive) for continued support and security fixes [3].