Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jx6x-mxnq-4qe2
Vulnerability ID VCID-jx6x-mxnq-4qe2
Aliases CVE-2024-34709
GHSA-g65h-35f3-x2w3
Summary Directus Lacks Session Tokens Invalidation ### Summary Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. When authenticating a session token JWT, Directus should also check whether the associated `directus_session` both still exists and has not expired (although the token should expire at the same time or before the session) to ensure leaked tokens are not valid indefinitely. ## Steps to reproduce - Copy the current session token from the cookie - Refresh and or log out - Use the saved session token to check if it is still valid ### Impact The lack of proper session expiration may improve the likely success of certain attacks. For example, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Incorrect token invalidation could allow an attacker to use the browser's history to access a Directus instance session previously accessed by the victim.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-613 Insufficient Session Expiration
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2024-34709
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-g65h-35f3-x2w3
cvssv3.1 5.4 https://github.com/directus/directus
generic_textual MODERATE https://github.com/directus/directus
cvssv3.1 5.4 https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf
generic_textual MODERATE https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf
ssvc Track https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf
cvssv3.1 5.4 https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3
cvssv3.1_qr MODERATE https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3
generic_textual MODERATE https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3
ssvc Track https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2024-34709
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-34709
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-34709
https://github.com/directus/directus
https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf
https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3
https://nvd.nist.gov/vuln/detail/CVE-2024-34709
GHSA-g65h-35f3-x2w3 https://github.com/advisories/GHSA-g65h-35f3-x2w3
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/directus/directus
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T19:00:10Z/ Found at https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T19:00:10Z/ Found at https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-34709
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.45401
EPSS Score 0.00226
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:46:46.678355+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-g65h-35f3-x2w3/GHSA-g65h-35f3-x2w3.json 38.6.0