VulnerableCode Package Details - pkg:npm/directus@10.10.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-8uym-xka8-cybb Aliases: CVE-2024-34709 GHSA-g65h-35f3-x2w3		10.11.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-8uym-xka8-cybb
Aliases:
CVE-2024-34709
GHSA-g65h-35f3-x2w3

10.11.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3cgw-zr3k-3fen	Session Token in URL in directus ### Impact When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds There's no workaround available. ### References _Are there any links users can visit to find out more?_	CVE-2024-28238 GHSA-2ccr-g2rv-h677
VCID-8r4e-a1vf-9bd9	URL Redirection to Untrusted Site in OAuth2/OpenID in directus ### Summary The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL https://docs.directus.io/reference/authentication.html#login-using-sso-providers /auth/login/google?redirect for example. ### Details There's a redirect that is done after successful login via the Auth API GET request to `directus/auth/login/google?redirect=http://malicious-fishing-site.com`, which I think is here: https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L394. While credentials don't seem to be passed to the attacker site, the user can be phished into clicking a legitimate directus site and be taken to a malicious site made to look like a an error message "Your password needs to be updated" to phish out the current password. ### PoC Turn on any auth provider in Directus instance. Form a link to `directus-instance/auth/login/:provider_id?redirect=http://malicious-fishing-site.com`, login and get taken to malicious-site. Tested on the `ory` OAuth2 integration. ### Impact Users who login via OAuth2 into Directus.	CVE-2024-28239 GHSA-fr3w-2p22-6w7p

Vulnerability

Summary

Aliases

VCID-3cgw-zr3k-3fen

Session Token in URL in directus ### Impact When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds There's no workaround available. ### References _Are there any links users can visit to find out more?_

CVE-2024-28238
GHSA-2ccr-g2rv-h677

VCID-8r4e-a1vf-9bd9

URL Redirection to Untrusted Site in OAuth2/OpenID in directus ### Summary The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL https://docs.directus.io/reference/authentication.html#login-using-sso-providers /auth/login/google?redirect for example. ### Details There's a redirect that is done after successful login via the Auth API GET request to `directus/auth/login/google?redirect=http://malicious-fishing-site.com`, which I think is here: https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L394. While credentials don't seem to be passed to the attacker site, the user can be phished into clicking a legitimate directus site and be taken to a malicious site made to look like a an error message "Your password needs to be updated" to phish out the current password. ### PoC Turn on any auth provider in Directus instance. Form a link to `directus-instance/auth/login/:provider_id?redirect=http://malicious-fishing-site.com`, login and get taken to malicious-site. Tested on the `ory` OAuth2 integration. ### Impact Users who login via OAuth2 into Directus.

CVE-2024-28239
GHSA-fr3w-2p22-6w7p

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T01:03:03.819001+00:00	GHSA Importer	Affected by	VCID-8uym-xka8-cybb	https://github.com/advisories/GHSA-g65h-35f3-x2w3	38.6.0
2026-05-31T01:02:27.513092+00:00	GHSA Importer	Fixing	VCID-8r4e-a1vf-9bd9	https://github.com/advisories/GHSA-fr3w-2p22-6w7p	38.6.0
2026-05-31T01:02:27.463389+00:00	GHSA Importer	Fixing	VCID-3cgw-zr3k-3fen	https://github.com/advisories/GHSA-2ccr-g2rv-h677	38.6.0
2026-05-30T21:03:35.868426+00:00	GitLab Importer	Fixing	VCID-8r4e-a1vf-9bd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2024-28239.yml	38.6.0
2026-05-30T21:03:35.649142+00:00	GitLab Importer	Fixing	VCID-3cgw-zr3k-3fen	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2024-28238.yml	38.6.0