Main Vulnerability Database Vulnerabilities #VU127101

Server-Side Request Forgery (SSRF) in Directus - CVE-2024-39699

Published: July 8, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127101

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-39699

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Directus

Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a remote user to initiate HTTP GET requests to internal network resources.

The vulnerability exists due to server-side request forgery in the file import functionality when following redirects during URL-based file import. A remote user can supply a URL that redirects to an internal IP address to initiate HTTP GET requests to internal network resources.

The issue is blind, and the response is not returned when the destination IP address is internal.

How to mitigate CVE-2024-39699

Install security update from vendor's website.

Sources

https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw

Server-Side Request Forgery (SSRF) in Directus - CVE-2024-39699

Detailed vulnerability description

How to mitigate CVE-2024-39699

Sources

Please verify you're human