Advisories for Npm/@Directus/Api package

2025

Directus allows updates to non-allowed fields due to overlapping policies

If there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. E.g. have one policy allowing update access to field_a if the id == 1 and one policy allowing update access to field_b if the id == …

2024

Session is cached for OpenID and OAuth2 if `redirect` is not used

Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. For example: Project is configured with OpenID or OAuth2 Project is configured with cache enabled User tries to login via SSO link, but without redirect query string After successful login, credentials are cached If an unauthenticated user tries to login via SSO link, it will return the …

Directus Blind SSRF On File Import

There was already a reported SSRF vulnerability via file import. https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to …