Directus, SSRF Protection Bypass, CVE-2023-26431 (Moderate)

Listen to this Post

How the CVE Works

Directus uses an IP deny-list to block requests to internal or private network ranges. However, its validation logic did not normalize IPv4-mapped IPv6 addresses before checking them against the deny-list. For example, an attacker could supply `::ffff:127.0.0.1` instead of 127.0.0.1. The deny-list check failed to recognize this as a loopback address, while the underlying HTTP client and operating system still resolved and connected to the intended private target. This allowed an authenticated (or unauthenticated, if public file‑import permissions were enabled) attacker to bypass SSRF protections and send requests to internal services such as databases, caches, internal APIs, or cloud metadata endpoints (e.g., AWS, GCP, Azure IMDS). The flaw was fixed by adding a normalization step that converts IPv4‑mapped IPv6 addresses to their canonical IPv4 form prior to validation.

DailyCVE Form

Platform: Directus
Version: <=9.22.4
Vulnerability: SSRF bypass
Severity: MODERATE
date: 2023‑06‑20

Prediction: 2023‑06‑30

What Undercode Say

Bash command to test for the vulnerability by attempting to fetch metadata from AWS IMDS using an IPv4‑mapped IPv6 address:

curl -X POST "http://directus-instance/files/import" \
-H "Authorization: Bearer <valid-token>" \
-d '{"url":"http://[::ffff:169.254.169.254]/latest/meta-data/"}' \
-o response.txt

If the response contains IMDS data, the instance is vulnerable.

Exploit

An attacker can craft a file‑import request using an IPv4‑mapped IPv6 address to reach internal endpoints that are normally blocked, e.g.,

{
"url": "http://[::ffff:127.0.0.1]:6379/INFO" // Redis info
}

Because the deny‑list only sees `::ffff:127.0.0.1` as an IPv6 address, it does not block the request. The HTTP client then connects to the intended internal service.

Protection from this CVE

  • Upgrade Directus to a version that includes the normalization fix (e.g., `>=9.22.5` or the latest stable).
  • Manually block IPv4‑mapped IPv6 addresses by adding `::ffff:0.0.0.0/96` to your deny‑list, or better, implement a proper IP normalisation layer.
  • Restrict file‑import permissions to only trusted users, or disable public file imports entirely.

Impact

  • Internal network reconnaissance – Attackers can map internal services and their versions.
  • Data exfiltration – Sensitive data from databases, caches, or internal APIs can be read.
  • Cloud metadata compromise – Cloud instance metadata (IMDS) can be accessed, potentially exposing credentials or other secrets.
  • Lateral movement – SSRF can be used as a stepping stone to attack other internal hosts.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top