npm package
directus
pkg:npm/directus
Vulnerabilities (53)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-53885 | — | >= 9.0.0, < 11.9.0 | 11.9.0 | Jul 14, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operatio | ||
| CVE-2025-30353 | — | >= 9.12.0, < 11.5.0 | 11.5.0 | Mar 26, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition | ||
| CVE-2025-30352 | — | >= 9.0.0-alpha.4, < 11.5.0 | 11.5.0 | Mar 26, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to vie | ||
| CVE-2025-30351 | — | >= 10.10.0, < 11.5.0 | 11.5.0 | Mar 26, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a chec | ||
| CVE-2025-30350 | — | >= 9.22, < 11.5.0 | 11.5.0 | Mar 26, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unav | ||
| CVE-2025-30225 | — | >= 9.22.0, < 11.5.0 | 11.5.0 | Mar 26, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unav | ||
| CVE-2025-27089 | — | >= 11.0.0, < 11.1.2 | 11.1.2 | Feb 19, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply | ||
| CVE-2025-24353 | — | < 11.2.0 | 11.2.0 | Jan 23, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be abl | ||
| CVE-2024-54151 | — | >= 11.0.0, < 11.3.0 | 11.3.0 | Dec 9, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operat | ||
| CVE-2024-54128 | — | >= 10.10.0, < 10.13.4 | 10.13.4 | Dec 5, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the | ||
| CVE-2024-46990 | — | < 10.13.3 | 10.13.3 | Sep 18, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This is | ||
| CVE-2024-45596 | — | < 10.13.3 | 10.13.3 | Sep 10, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoin | ||
| CVE-2024-6534 | — | < 10.13.2 | 10.13.2 | Aug 15, 2024 | Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chai | ||
| CVE-2024-39896 | — | >= 9.11, < 10.13.0 | 10.13.0 | Jul 8, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Direc | ||
| CVE-2024-39701 | — | >= 9.23.0, < 10.6.0 | 10.6.0 | Jul 8, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true allowing | ||
| CVE-2024-36128 | — | < 10.11.2 | 10.11.2 | Jun 3, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This create | ||
| CVE-2024-34709 | — | >= 10.10.0, < 10.11.0 | 10.11.0 | May 13, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if | ||
| CVE-2024-34708 | — | < 10.11.0 | 10.11.0 | May 13, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will retur | ||
| CVE-2024-28238 | — | < 10.10.0 | 10.10.0 | Mar 12, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser hi | ||
| CVE-2024-28239 | — | < 10.10.0 | 10.10.0 | Mar 12, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's a redirect that is done after successful |
- CVE-2025-53885Jul 14, 2025affected >= 9.0.0, < 11.9.0fixed 11.9.0
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operatio
- CVE-2025-30353Mar 26, 2025affected >= 9.12.0, < 11.5.0fixed 11.5.0
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition
- CVE-2025-30352Mar 26, 2025affected >= 9.0.0-alpha.4, < 11.5.0fixed 11.5.0
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to vie
- CVE-2025-30351Mar 26, 2025affected >= 10.10.0, < 11.5.0fixed 11.5.0
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a chec
- CVE-2025-30350Mar 26, 2025affected >= 9.22, < 11.5.0fixed 11.5.0
Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unav
- CVE-2025-30225Mar 26, 2025affected >= 9.22.0, < 11.5.0fixed 11.5.0
Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unav
- CVE-2025-27089Feb 19, 2025affected >= 11.0.0, < 11.1.2fixed 11.1.2
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply
- CVE-2025-24353Jan 23, 2025affected < 11.2.0fixed 11.2.0
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be abl
- CVE-2024-54151Dec 9, 2024affected >= 11.0.0, < 11.3.0fixed 11.3.0
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operat
- CVE-2024-54128Dec 5, 2024affected >= 10.10.0, < 10.13.4fixed 10.13.4
Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the
- CVE-2024-46990Sep 18, 2024affected < 10.13.3fixed 10.13.3
Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This is
- CVE-2024-45596Sep 10, 2024affected < 10.13.3fixed 10.13.3
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoin
- CVE-2024-6534Aug 15, 2024affected < 10.13.2fixed 10.13.2
Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chai
- CVE-2024-39896Jul 8, 2024affected >= 9.11, < 10.13.0fixed 10.13.0
Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Direc
- CVE-2024-39701Jul 8, 2024affected >= 9.23.0, < 10.6.0fixed 10.6.0
Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true allowing
- CVE-2024-36128Jun 3, 2024affected < 10.11.2fixed 10.11.2
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This create
- CVE-2024-34709May 13, 2024affected >= 10.10.0, < 10.11.0fixed 10.11.0
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if
- CVE-2024-34708May 13, 2024affected < 10.11.0fixed 10.11.0
Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will retur
- CVE-2024-28238Mar 12, 2024affected < 10.10.0fixed 10.10.0
Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser hi
- CVE-2024-28239Mar 12, 2024affected < 10.10.0fixed 10.10.0
Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's a redirect that is done after successful
Page 2 of 3