Moderate severityNVD Advisory· Published May 13, 2024· Updated Aug 2, 2024

Directus Lacks Session Tokens Invalidation

CVE-2024-34709

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directus_session gets destroyed and the cookie gets deleted but if the cookie value is captured, it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. This vulnerability is fixed in 10.11.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
directusnpm	>= 10.10.0, < 10.11.0	10.11.0

Affected products

Monospace/Directusv5
Range: >= 10.10.0, < 10.11.0

Patches

a6172f8a6a0f

Improved session token validation (#22353)

https://github.com/directus/directusBrainslugMay 2, 2024via ghsa

commit

3 files changed · +36 −0

api/src/utils/get-accountability-for-token.ts+5 −0 modified

@@ -3,6 +3,7 @@ import { InvalidCredentialsError } from '@directus/errors';
 import type { Accountability } from '@directus/types';
 import getDatabase from '../database/index.js';
 import isDirectusJWT from './is-directus-jwt.js';
+import { verifySessionJWT } from './verify-session-jwt.js';
 import { verifyAccessJWT } from './jwt.js';
 
 export async function getAccountabilityForToken(
@@ -24,6 +25,10 @@ export async function getAccountabilityForToken(
 		if (isDirectusJWT(token)) {
 			const payload = verifyAccessJWT(token, env['SECRET'] as string);
 
+			if ('session' in payload) {
+				await verifySessionJWT(payload);
+			}
+
 			accountability.role = payload.role;
 			accountability.admin = payload.admin_access === true || payload.admin_access == 1;
 			accountability.app = payload.app_access === true || payload.app_access == 1;

api/src/utils/verify-session-jwt.ts+26 −0 added

@@ -0,0 +1,26 @@
+import getDatabase from '../database/index.js';
+import { InvalidTokenError } from '@directus/errors';
+import type { DirectusTokenPayload } from '../types/index.js';
+
+/**
+ * Verifies the associated session is still available and valid.
+ *
+ * @throws If session not found.
+ */
+export async function verifySessionJWT(payload: DirectusTokenPayload) {
+	const database = getDatabase();
+
+	const session = await database
+		.select(1)
+		.from('directus_sessions')
+		.where({
+			token: payload['session'],
+			user: payload['id'],
+		})
+		.andWhere('expires', '>=', new Date())
+		.first();
+
+	if (!session) {
+		throw new InvalidTokenError();
+	}
+}

.changeset/late-lions-pump.md+5 −0 added

@@ -0,0 +1,5 @@
+---
+"@directus/api": patch
+---
+
+Improved session token validation

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g65h-35f3-x2w3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-34709ghsaADVISORY
github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcfghsax_refsource_MISCWEB
github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000