@directus/api@22.1.0 vulnerabilities

Directus is a real-time API and App dashboard for managing SQL database content

latest version

23.1.3
latest non vulnerable version

23.1.3
first published

2 years ago
latest version published

3 days ago
licenses detected
- BUSL-1.1
  >=10.0.0
View @directus/api package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @directus/api package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the loopback IP filter process. An attacker can bypass the default `0.0.0.0` filter to access localhost using other registered loopback devices, such as `127.0.0.2` to `127.127.127.127`. This is only exploitable if the system relies on blocking access to localhost using the default filter. How to fix Server-side Request Forgery (SSRF)? Upgrade `@directus/api` to version 21.0.0, 22.1.1 or higher.	<21.0.0 >=22.0.0 <22.1.1
M Session Fixation @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to Session Fixation via the `respond` middleware. An attacker can access credentials of the last authenticated user that attempted to authenticate via SSO link without a `redirect` query string in the URL. How to fix Session Fixation? Upgrade `@directus/api` to version 21.0.1, 22.2.0 or higher.	<21.0.1 >=22.0.0 <22.2.0

Server-side Request Forgery (SSRF)

@directus/api is a real-time API and App dashboard for managing SQL database content

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the loopback IP filter process. An attacker can bypass the default 0.0.0.0 filter to access localhost using other registered loopback devices, such as 127.0.0.2 to 127.127.127.127. This is only exploitable if the system relies on blocking access to localhost using the default filter.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @directus/api to version 21.0.0, 22.1.1 or higher.

<21.0.0 >=22.0.0 <22.1.1

Session Fixation

@directus/api is a real-time API and App dashboard for managing SQL database content

Affected versions of this package are vulnerable to Session Fixation via the respond middleware. An attacker can access credentials of the last authenticated user that attempted to authenticate via SSO link without a redirect query string in the URL.

How to fix Session Fixation?

Upgrade @directus/api to version 21.0.1, 22.2.0 or higher.

<21.0.1 >=22.0.0 <22.2.0

Go back to all versions of this package

@directus/api@22.1.0 vulnerabilities

Directus is a real-time API and App dashboard for managing SQL database content

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities