Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-z7yb-1fvm-bqes
Vulnerability ID VCID-z7yb-1fvm-bqes
Aliases CVE-2024-46990
GHSA-68g8-c275-xf2m
Summary Directus vulnerable to SSRF Loopback IP filter bypass If you're relying on blocking access to localhost using the default `0.0.0.0` filter this can be bypassed using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`)
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-284 Improper Access Control
CWE-918 Server-Side Request Forgery (SSRF)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 5.0 https://github.com/directus/directus
cvssv4 5.3 https://github.com/directus/directus
generic_textual MODERATE https://github.com/directus/directus
cvssv3.1 5 https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
cvssv3.1 5.0 https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
cvssv4 5.3 https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
generic_textual MODERATE https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
ssvc Track https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
cvssv3.1 5 https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
cvssv3.1 5.0 https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
cvssv4 5.3 https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
generic_textual MODERATE https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
ssvc Track https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
cvssv3.1 5 https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
cvssv3.1 5.0 https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
cvssv4 5.3 https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
generic_textual MODERATE https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
ssvc Track https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
cvssv3.1 5 https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
cvssv3.1 5.0 https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
cvssv4 5.3 https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
generic_textual MODERATE https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
ssvc Track https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
cvssv3.1 5 https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
cvssv3.1 5.0 https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
cvssv4 5.3 https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
generic_textual MODERATE https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
ssvc Track https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
cvssv3.1 5.0 https://nvd.nist.gov/vuln/detail/CVE-2024-46990
cvssv4 5.3 https://nvd.nist.gov/vuln/detail/CVE-2024-46990
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-46990
Reference id Reference type URL
https://github.com/directus/directus
https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
CVE-2024-46990 https://nvd.nist.gov/vuln/detail/CVE-2024-46990
GHSA-68g8-c275-xf2m https://github.com/advisories/GHSA-68g8-c275-xf2m
GHSA-68g8-c275-xf2m https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/directus/directus
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/ Found at https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/ Found at https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/ Found at https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/ Found at https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/ Found at https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-46990
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-46990
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-04T16:22:17.465166+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2024-46990.yml 38.6.0