High severityNVD Advisory· Published Oct 19, 2023· Updated Sep 12, 2024

Directus crashes on invalid WebSocket message

CVE-2023-45820

Description

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has been addressed in version 10.6.2. Users are advised to upgrade. Users unable to upgrade should avoid using websockets.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
directusnpm	>= 10.4.0, < 10.6.2	10.6.2

Affected products

Monospace/Directusv5
Range: >=10.4, < 10.6.2

Patches

243eed781b42

Merge pull request from GHSA-hmgw-9jrg-hf2m

https://github.com/directus/directusBrainslugSep 19, 2023via ghsa

commit

1 file changed · +18 −0

api/src/websocket/controllers/base.ts+18 −0 modified

@@ -97,6 +97,20 @@ export default abstract class SocketController {
 		return null;
 	}
 
+	private catchInvalidMessages(ws: WebSocket) {
+		/**
+		 * This fix was done to prevent the API from crashing on receiving invalid WebSocket frames
+		 * https://github.com/directus/directus/security/advisories/GHSA-hmgw-9jrg-hf2m
+		 * https://github.com/websockets/ws/issues/2098
+		 */
+		// @ts-ignore <- required because "_socket" is not typed on WS
+		ws._socket.prependListener('data', (data) => data.toString());
+
+		ws.on('error', (error) => {
+			if (error.message) logger.debug(error.message);
+		});
+	}
+
 	protected async handleUpgrade(request: IncomingMessage, socket: internal.Duplex, head: Buffer) {
 		const { pathname, query } = parse(request.url!, true);
 		if (pathname !== this.endpoint) return;
@@ -121,6 +135,7 @@ export default abstract class SocketController {
 		}
 
 		this.server.handleUpgrade(request, socket, head, async (ws) => {
+			this.catchInvalidMessages(ws);
 			const state = { accountability: null, expires_at: null } as AuthenticationState;
 			this.server.emit('connection', ws, state);
 		});
@@ -146,13 +161,16 @@ export default abstract class SocketController {
 		}
 
 		this.server.handleUpgrade(request, socket, head, async (ws) => {
+			this.catchInvalidMessages(ws);
 			const state = { accountability, expires_at } as AuthenticationState;
 			this.server.emit('connection', ws, state);
 		});
 	}
 
 	protected async handleHandshakeUpgrade({ request, socket, head }: UpgradeContext) {
 		this.server.handleUpgrade(request, socket, head, async (ws) => {
+			this.catchInvalidMessages(ws);
+
 			try {
 				const payload = await waitForAnyMessage(ws, this.authentication.timeout);
 				if (getMessageType(payload) !== 'auth') throw new Error();

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hmgw-9jrg-hf2mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-45820ghsaADVISORY
github.com/directus/directus/commit/243eed781b42d6b4948ddb8c3792bcf5b44f55bbghsax_refsource_MISCWEB
github.com/directus/directus/releases/tag/v10.6.2ghsaWEB
github.com/directus/directus/security/advisories/GHSA-hmgw-9jrg-hf2mghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000