VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Mar 1, 2024· Updated Aug 8, 2024

Directus version number disclosure

CVE-2024-27296

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. The problem has been resolved in versions 10.8.3 and newer.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
directusnpm
< 10.8.310.8.3

Affected products

1

Patches

1
a5a1c26ac487

replaced hardcoded versions in the app

https://github.com/directus/directusBrainslugNov 30, 2023via ghsa
commit
5 files changed · +6 16
  • app/env.d.ts+0 2 modified
    @@ -1,4 +1,2 @@
 /// <reference types="vite/client" />
 /// <reference types="@histoire/plugin-vue/components" />
-
-declare const __DIRECTUS_VERSION__: string;
  • app/src/main.ts+1 7 modified
    @@ -17,19 +17,13 @@ import { registerViews } from './views/register';
 init();
 
 async function init() {
-	const version = __DIRECTUS_VERSION__;
-
 	console.log(DIRECTUS_LOGO);
 
 	console.info(
 		`Hey! Interested in helping build this open-source data management platform?\nIf so, join our growing team of contributors at: https://directus.chat`,
 	);
 
-	if (import.meta.env.DEV) {
-		console.info(`%c🐰 Starting Directus v${version}...`, 'color:Green');
-	} else {
-		console.info(`%c🐰 Starting Directus...`, 'color:Green');
-	}
+	console.info(`%c🐰 Starting Directus...`, 'color:Green');
 
 	console.time('🕓 Application Loaded');
  • app/src/modules/settings/components/navigation.vue+3 3 modified
    @@ -1,10 +1,10 @@
 <script setup lang="ts">
+import { useServerStore } from '@/stores/server';
 import { computed } from 'vue';
 import { useI18n } from 'vue-i18n';
 
-const version = __DIRECTUS_VERSION__;
-
 const { t } = useI18n();
+const { info } = useServerStore();
 
 const dataItems = [
 	{
@@ -103,7 +103,7 @@ const externalItems = computed(() => {
 		<v-list-item href="https://github.com/directus/directus/releases" class="version">
 			<v-list-item-icon><v-icon name="directus" /></v-list-item-icon>
 			<v-list-item-content>
-				<v-text-overflow class="version" :text="`Directus ${version}`" />
+				<v-text-overflow class="version" :text="`Directus ${info.version}`" />
 			</v-list-item-content>
 		</v-list-item>
 	</v-list>
  • app/src/stores/server.ts+2 0 modified
    @@ -43,6 +43,7 @@ export type Info = {
 		default: number;
 		max: number;
 	};
+	version?: string;
 };
 
 export type Auth = {
@@ -83,6 +84,7 @@ export const useServerStore = defineStore('serverStore', () => {
 
 		info.project = serverInfoResponse.data.data?.project;
 		info.queryLimit = serverInfoResponse.data.data?.queryLimit;
+		info.version = serverInfoResponse.data.data?.version;
 
 		auth.providers = authResponse.data.data;
 		auth.disableDefault = authResponse.data.disableDefault;
  • app/vite.config.js+0 4 modified
    @@ -18,16 +18,12 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { searchForWorkspaceRoot } from 'vite';
 import { defineConfig } from 'vitest/config';
-import { version } from '../directus/package.json';
 
 const API_PATH = path.join('..', 'api');
 const EXTENSIONS_PATH = path.join(API_PATH, 'extensions');
 
 // https://vitejs.dev/config/
 export default defineConfig({
-	define: {
-		__DIRECTUS_VERSION__: JSON.stringify(version),
-	},
 	plugins: [
 		directusExtensions(),
 		vue(),

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.