VulnerableCode Package Details - pkg:npm/%40directus/api@23.2.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/%40directus/api@23.2.0

Essentials
History (8)

purl	pkg:npm/%40directus/api@23.2.0

Next non-vulnerable version	32.2.0
Latest non-vulnerable version	32.2.0
Risk

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-5u8r-s8tz-guhm Aliases: CVE-2025-55746 GHSA-mv33-9f6j-pfmc		28.0.2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-7fzh-j76t-5kd3 Aliases: CVE-2025-30351 GHSA-56p6-qw3c-fq2g		24.0.1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-anfb-6kfn-a7h7 Aliases: CVE-2026-26185 GHSA-jr94-gj3h-c8rf	Directus Vulnerable to User Enumeration via Password Reset Timing Attack A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration.	32.2.0 Affected by 0 other vulnerabilities.
VCID-hed8-anm5-ukc9 Aliases: CVE-2026-22032 GHSA-3573-4c68-g8cc	Directus has open redirect in SAML An open redirect vulnerability exists in the Directus SAML authentication callback endpoint. The `RelayState` parameter is used in redirects without proper validation against an allowlist of permitted domains.	32.1.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-na3v-me78-aqcg Aliases: CVE-2025-64749 GHSA-cph6-524f-3hgr	Directus Vulnerable to Information Leakage in Existing Collections An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections.	32.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nvha-b5tb-dqdt Aliases: CVE-2025-64748 GHSA-8jpw-gpr4-8cmh	Directus's conceal fields are searchable if read permissions enabled A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data.	32.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-bjzg-mzjf-cfau		CVE-2024-54151 GHSA-849r-qrwj-8rv4

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T09:36:04.649608+00:00	GitLab Importer	Affected by	VCID-anfb-6kfn-a7h7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2026-26185.yml	38.6.0
2026-06-01T09:21:15.104272+00:00	GitLab Importer	Affected by	VCID-hed8-anm5-ukc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2026-22032.yml	38.6.0
2026-06-01T09:09:33.261648+00:00	GitLab Importer	Affected by	VCID-na3v-me78-aqcg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2025-64749.yml	38.6.0
2026-06-01T09:09:20.108262+00:00	GitLab Importer	Affected by	VCID-nvha-b5tb-dqdt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2025-64748.yml	38.6.0
2026-06-01T08:49:21.584847+00:00	GitLab Importer	Affected by	VCID-5u8r-s8tz-guhm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2025-55746.yml	38.6.0
2026-06-01T08:36:47.799215+00:00	GitLab Importer	Affected by	VCID-7fzh-j76t-5kd3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2025-30351.yml	38.6.0
2026-05-31T19:20:16.333477+00:00	GitLab Importer	Fixing	VCID-bjzg-mzjf-cfau	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2024-54151.yml	38.6.0
2026-05-31T10:46:52.756685+00:00	GithubOSV Importer	Fixing	VCID-bjzg-mzjf-cfau	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-849r-qrwj-8rv4/GHSA-849r-qrwj-8rv4.json	38.6.0