Protection Mechanism Failure in Directus - #VU127093
Published: September 14, 2023 / Updated: April 23, 2026
Vulnerability identifier: #VU127093
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-693
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Directus
Directus
Software vendor:
Directus
Directus
Description
The vulnerability allows a remote user to execute arbitrary code outside the sandbox.
The vulnerability exists due to improper sandbox enforcement in the vm2 sandbox used by the "Run Script" operation in flows when processing promise handlers. A remote privileged user can bypass promise handler sanitization to execute arbitrary code outside the sandbox.
User interaction is required.
Remediation
Install security update from vendor's website.