High severityNVD Advisory· Published Jul 8, 2024· Updated Aug 2, 2024

Directus GraphQL Field Duplication Denial of Service (DoS)

CVE-2024-39895

Description

Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users. Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard. By modifying the data sent and duplicating many times the fields a DoS attack is possible. This vulnerability is fixed in 10.12.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@directus/envnpm	< 1.1.6	1.1.6

Affected products

Monospace/Directusv5
Range: < 10.12.0

Patches

8b887c82091c

https://github.com/directus/directusvia osv

543b34569507

Merge pull request from GHSA-7hmh-pfrp-vcx4

https://github.com/directus/directusBrainslugJun 4, 2024via ghsa

commit

5 files changed · +19 −5

api/src/middleware/graphql.ts+6 −1 modified

@@ -6,6 +6,7 @@ import { InvalidPayloadError, InvalidQueryError, MethodNotAllowedError } from '@
 import { GraphQLValidationError } from '../services/graphql/errors/validation.js';
 import type { GraphQLParams } from '../types/index.js';
 import asyncHandler from '../utils/async-handler.js';
+import { useEnv } from '@directus/env';
 
 export const parseGraphQL: RequestHandler = asyncHandler(async (req, res, next) => {
 	if (req.method !== 'GET' && req.method !== 'POST') {
@@ -42,7 +43,11 @@ export const parseGraphQL: RequestHandler = asyncHandler(async (req, res, next)
 	}
 
 	try {
-		document = parse(new Source(query));
+		const env = useEnv();
+
+		document = parse(new Source(query), {
+			maxTokens: Number(env['GRAPHQL_QUERY_TOKEN_LIMIT']),
+		});
 	} catch (err: any) {
 		throw new GraphQLValidationError({
 			errors: [err],

.changeset/flat-kids-jump.md+6 −0 added

@@ -0,0 +1,6 @@
+---
+'@directus/env': patch
+'@directus/api': patch
+---
+
+Added a configurable max token limit for GraphQL queries

docs/self-hosted/config-options.md+5 −4 modified

@@ -1047,10 +1047,11 @@ Directus collects little and anonymized data about your environment.
 
 Allows you to configure hard technical limits, to prevent abuse and optimize for your particular server environment.
 
-| Variable                | Description                                                                               | Default Value |
-| ----------------------- | ----------------------------------------------------------------------------------------- | ------------- |
-| `RELATIONAL_BATCH_SIZE` | How many rows are read into memory at a time when constructing nested relational datasets | 25000         |
-| `EXPORT_BATCH_SIZE`     | How many rows are read into memory at a time when constructing exports                    | 5000          |
+| Variable                    | Description                                                                                                                     | Default Value |
+| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ------------- |
+| `RELATIONAL_BATCH_SIZE`     | How many rows are read into memory at a time when constructing nested relational datasets                                       | 25000         |
+| `EXPORT_BATCH_SIZE`         | How many rows are read into memory at a time when constructing exports                                                          | 5000          |
+| `GRAPHQL_QUERY_TOKEN_LIMIT` | How many GraphQL query tokens will be parsed. [More details here](https://graphql-js.org/api/interface/parseoptions/#maxTokens) | 5000          |
 
 ## WebSockets

packages/env/src/constants/defaults.ts+1 −0 modified

@@ -120,6 +120,7 @@ export const DEFAULTS = {
 	FILE_METADATA_ALLOW_LIST: 'ifd0.Make,ifd0.Model,exif.FNumber,exif.ExposureTime,exif.FocalLength,exif.ISOSpeedRatings',
 
 	GRAPHQL_INTROSPECTION: true,
+	GRAPHQL_QUERY_TOKEN_LIMIT: 5000,
 
 	WEBSOCKETS_ENABLED: false,
 	WEBSOCKETS_REST_ENABLED: true,

packages/env/src/constants/directus-variables.ts+1 −0 modified

@@ -15,6 +15,7 @@ export const DIRECTUS_VARIABLES = [
 	'SERVE_APP',
 	'GRAPHQL_INTROSPECTION',
 	'GRAPHQL_SCHEMA_CACHE_CAPACITY',
+	'GRAPHQL_QUERY_TOKEN_LIMIT',
 	'MAX_BATCH_MUTATION',
 	'LOGGER_.+',
 	'QUERY_LIMIT_MAX',

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7hmh-pfrp-vcx4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-39895ghsaADVISORY
github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8ghsax_refsource_MISCWEB
github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000