SB2025032673 - Multiple vulnerabilities in Directus

Description

This security bulletin contains information about 5 vulnerabilities.

1) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2025-30225)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource shutdown in asset transformation handling when processing malformed transformation requests. A remote attacker can send a burst of specially crafted transformation requests to cause a denial of service.

This issue affects S3-backed assets and can cause all assets to be served as HTTP 403 responses.

2) Resource exhaustion (CVE-ID: CVE-2025-30350)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in the S3 asset handling component when processing a burst of HEAD requests. A remote attacker can send many HEAD requests to cause a denial of service.

The issue can make assets unavailable for all Directus access policies, including admin and public access.

3) Information disclosure (CVE-ID: CVE-2025-30353)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in webhook trigger flows when handling a failed condition operation with the "Data of Last Operation" response body. A remote attacker can trigger the flow with input that causes a ValidationError to disclose sensitive information.

Exposed data may include environment variables, API keys, authorization headers, user accountability information, and previous operational data.

4) Information disclosure (CVE-ID: CVE-2025-30352)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the search query parameter handling when processing search queries on collections. A remote attacker can send a search query for fields they are not permitted to view to disclose sensitive information.

Exploitation is possible when the attacker has access to a collection and can use the search query parameter against non-permitted string or numeric fields.

5) Operation on a Resource after Expiration or Release (CVE-ID: CVE-2025-30351)

CWE-ID: CWE-672 - Operation on a Resource after Expiration or Release

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to operation on a resource after revocation in verifySessionJWT when verifying a session token for API access. A remote user can reuse a previously issued session token after the associated user has been suspended to disclose sensitive information.

The issue affects session auth mode, and exploitation requires obtaining a session token while the account is still active.

Remediation

Install update from vendor's website.

References

• https://github.com/directus/directus/security/advisories/GHSA-j8xj-7jff-46mx
• https://github.com/directus/directus/security/advisories/GHSA-rv78-qqrq-73m5
• https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h
• https://github.com/advisories/GHSA-fm3h-p9wm-h74h
• https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c
• https://github.com/directus/directus/security/advisories/GHSA-56p6-qw3c-fq2g