SB2025032673 - Multiple vulnerabilities in Directus

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2025-30225)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource shutdown in asset transformation handling when processing malformed transformation requests. A remote attacker can send a burst of specially crafted transformation requests to cause a denial of service.

This issue affects S3-backed assets and can cause all assets to be served as HTTP 403 responses.

2) Resource exhaustion (CVE-ID: CVE-2025-30350)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in the S3 asset handling component when processing a burst of HEAD requests. A remote attacker can send many HEAD requests to cause a denial of service.

The issue can make assets unavailable for all Directus access policies, including admin and public access.

3) Information disclosure (CVE-ID: CVE-2025-30353)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in webhook trigger flows when handling a failed condition operation with the "Data of Last Operation" response body. A remote attacker can trigger the flow with input that causes a ValidationError to disclose sensitive information.

Exposed data may include environment variables, API keys, authorization headers, user accountability information, and previous operational data.

4) Information disclosure (CVE-ID: CVE-2025-30352)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the search query parameter handling when processing search queries on collections. A remote attacker can send a search query for fields they are not permitted to view to disclose sensitive information.

Exploitation is possible when the attacker has access to a collection and can use the search query parameter against non-permitted string or numeric fields.

5) Operation on a Resource after Expiration or Release (CVE-ID: CVE-2025-30351)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to operation on a resource after revocation in verifySessionJWT when verifying a session token for API access. A remote user can reuse a previously issued session token after the associated user has been suspended to disclose sensitive information.

The issue affects session auth mode, and exploitation requires obtaining a session token while the account is still active.

Remediation

Install update from vendor's website.

References

• https://github.com/directus/directus/security/advisories/GHSA-j8xj-7jff-46mx
• https://github.com/directus/directus/security/advisories/GHSA-rv78-qqrq-73m5
• https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h
• https://github.com/advisories/GHSA-fm3h-p9wm-h74h
• https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c
• https://github.com/directus/directus/security/advisories/GHSA-56p6-qw3c-fq2g