#VU127101 Server-Side Request Forgery (SSRF) in Directus - CVE-2024-39699
Published: July 8, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127101
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-39699
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Directus
Directus
Software vendor:
Directus
Directus
Description
The vulnerability allows a remote user to initiate HTTP GET requests to internal network resources.
The vulnerability exists due to server-side request forgery in the file import functionality when following redirects during URL-based file import. A remote user can supply a URL that redirects to an internal IP address to initiate HTTP GET requests to internal network resources.
The issue is blind, and the response is not returned when the destination IP address is internal.
Remediation
Install security update from vendor's website.