Directus, GraphQL Field Duplication Denial of Service (DoS), CVE-2024-39895 (High)

Listen to this Post

How CVE-2024-39895 Works

The GraphQL specification allows a single query to request the same field multiple times using aliases, with each alias typically resolved independently. In Directus versions prior to 10.12.0, the server did not deduplicate these resolver calls. This meant that each alias triggered a full, separate execution of the underlying resolver. Attackers could exploit this by crafting a single HTTP request that contained thousands of aliases for the same field, such as the health check resolver. The health check resolver performs intensive backend checks, including database connectivity, cache verification, storage I/O, and SMTP connection tests. When invoked repeatedly, this leads to massive resource consumption. The system GraphQL endpoint was also unauthenticated, meaning any network-accessible attacker could trigger this condition. As a result, a single malicious request could exhaust the database connection pool, overwhelm disk I/O, or saturate the mail server, causing a denial of service for all users.

DailyCVE Form

Platform: `Directus`
Version: `before 10.12.0`
Vulnerability: `GraphQL alias DoS`
Severity: `High`
Date: `2024-07-08`

Prediction: `Patch: 2024-07-08`

What Undercode Say

Check if a Directus instance is vulnerable (requires valid auth token)
curl -X POST http://target-host/graphql \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"query":"query { healthCheck { status } healthCheck2: healthCheck { status } ... }"}'

Exploit

A Python script can generate a massive GraphQL query that repeats the same field hundreds or thousands of times, forcing the server to execute the same resolver repeatedly.

Protection from this CVE

Upgrade to Directus version 10.12.0 or later, which introduces request-scoped resolver deduplication. If upgrading is not immediately possible, restrict network access to the `/graphql` endpoint and implement rate limiting.

Impact

  • Service degradation or outage: Database connection pool exhaustion prevents all Directus operations for all users.
  • Storage I/O saturation: Concurrent file writes can overwhelm disk I/O.
  • SMTP resource exhaustion: Concurrent SMTP verification calls may overwhelm the mail server.
  • No authentication required: Any network-accessible attacker can trigger this condition.
  • Single-request impact: A single request is sufficient to cause significant resource consumption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top