High severityNVD Advisory· Published Jun 3, 2024· Updated Aug 2, 2024
Directus is soft-locked by providing a string value to random string util
CVE-2024-36128
Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID. This vulnerability is fixed in 10.11.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 10.11.2 | 10.11.2 |
Affected products
1Patches
17d2a1392f436Fix #22572 Invalid query for random string (#22573)
3 files changed · +15 −8
api/src/controllers/utils.ts+7 −5 modified@@ -14,18 +14,20 @@ import { sanitizeQuery } from '../utils/sanitize-query.js'; const router = Router(); +const randomStringSchema = Joi.object<{ length: number }>({ + length: Joi.number().integer().min(1).max(500).default(32), +}); + router.get( '/random/string', asyncHandler(async (req, res) => { const { nanoid } = await import('nanoid'); - if (req.query && req.query['length'] && Number(req.query['length']) > 500) { - throw new InvalidQueryError({ reason: `"length" can't be more than 500 characters` }); - } + const { error, value } = randomStringSchema.validate(req.query, { allowUnknown: true }); - const string = nanoid(req.query?.['length'] ? Number(req.query['length']) : 32); + if (error) throw new InvalidQueryError({ reason: error.message }); - return res.json({ data: string }); + return res.json({ data: nanoid(value.length) }); }), );
api/src/services/graphql/index.ts+3 −3 modified@@ -2536,11 +2536,11 @@ export class GraphQLService { resolve: async (_, args) => { const { nanoid } = await import('nanoid'); - if (args['length'] && Number(args['length']) > 500) { - throw new InvalidPayloadError({ reason: `"length" can't be more than 500 characters` }); + if (args['length'] !== undefined && (args['length'] < 1 || args['length'] > 500)) { + throw new InvalidPayloadError({ reason: `"length" must be between 1 and 500` }); } - return nanoid(args['length'] ? Number(args['length']) : 32); + return nanoid(args['length'] ? args['length'] : 32); }, }, utils_hash_generate: {
.changeset/large-pans-dance.md+5 −0 added@@ -0,0 +1,5 @@ +--- +"@directus/api": patch +--- + +Fixed an issue where calling `/random/string` with an invalid length param could prevent creation of valid sessions until next restart
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-632p-p495-25m5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-36128ghsaADVISORY
- github.com/directus/directus/commit/7d2a1392f43613094de700062aba168a9400dd3bghsax_refsource_MISCWEB
- github.com/directus/directus/security/advisories/GHSA-632p-p495-25m5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.