VulnerableCode Package Details - pkg:npm/directus@9.16.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/directus@9.16.0

Essentials
History (1)

purl	pkg:npm/directus@9.16.0

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-et4m-8y15-9fb9	Exposure of Sensitive Information to an Unauthorized Actor Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by ensuring that no user has `read` access to the `password` field in `directus_users`.	CVE-2023-27481 GHSA-m5q3-8wgf-x8xf

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-30T20:59:57.508892+00:00	GitLab Importer	Fixing	VCID-et4m-8y15-9fb9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2023-27481.yml	38.6.0