CVE-2025-30350: Directus's S3 assets become unavailable after a burst of HEAD requests

March 26, 2025 (updated March 27, 2025)

There’s some tools that use Directus to sync content and assets. Some of those tools use HEAD method, like Shopify, to check the existence of files. Although, when making many HEAD requests at once, at some point, all assets are being served as 403.

References

github.com/advisories/GHSA-rv78-qqrq-73m5
github.com/directus/directus
github.com/directus/directus/security/advisories/GHSA-rv78-qqrq-73m5
nvd.nist.gov/vuln/detail/CVE-2025-30350

Code Behaviors & Features

Detect and mitigate CVE-2025-30350 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →