@directus/api@29.1.0 vulnerabilities

Directus is a real-time API and App dashboard for managing SQL database content

latest version

29.1.1

first published

2 years ago

latest version published

12 days ago

licenses detected

BUSL-1.1
>=10.0.0

View api package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @directus/api package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C External Control of File Name or Path @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to External Control of File Name or Path via the `write` and `join` method, which used the `fullPath` method to create the absolute path. An attacker can upload or modify files with arbitrary content and extensions by sending crafted requests, potentially bypassing authentication and input validation. How to fix External Control of File Name or Path? A fix was pushed into the `master` branch but not yet published.	*

External Control of File Name or Path

@directus/api is a real-time API and App dashboard for managing SQL database content

Affected versions of this package are vulnerable to External Control of File Name or Path via the write and join method, which used the fullPath method to create the absolute path. An attacker can upload or modify files with arbitrary content and extensions by sending crafted requests, potentially bypassing authentication and input validation.

How to fix External Control of File Name or Path?

A fix was pushed into the master branch but not yet published.

Go back to all versions of this package